Comparative
Study on
Legislative and
Non Legislative
Measures to
Combat Identity
Theft and Identity
Related Crime:
Final Report
TR-982-EC
NEIL ROBINSON, HANS GRAUX,
DAVIDE MARIA PARRILLI, LISA
KLAUTZER AND LORENZO VALERI
June 2011
Prepared for DG Home Affairs
Preface
This document is the Final Report of a comparative study on legalislative and nonlegislative measures to combat identity theft and identity-related crime. It includes:
•
Chapters on the context and definitional understanding for a pan-European data
collection exercise regarding the legal and non-legal measures aimed at addressing
the challenge of identity theft.
•
Summaries of the countries covered as part of this study.
•
Analysis and conclusions from the overview of the evidence base above.
•
An Appendix with National Profiles for each country covered.
This report represents a multi-stage ‘legislative and policy diagnostic’ intended to assess the
validity and effectiveness of current EU Member States’ legal and non-legal responses to
the particular public policy challenge of the emergence of identity theft. This is an
increasingly prevalent form of criminality and, with increasing reliance on public and
private identity infrastructures, a possible emergent risk to the growing information
society. This diagnostic consists of an overview of the typology of conduct; a review of the
existence and impact of current national legal and non legal means to address these forms
of conduct; and finally the exploration of appropriate mechanisms to improve the
situation. As such the data in this report, collected between March and May 2010,
represent a snapshot of the situation in mid-2010.
For more information about RAND Europe or this document, please contact:
Neil Robinson
RAND Europe
Westbrook Centre
Milton Road
Cambridge CB4 1YG
United Kingdom
[email protected]
+44(0)1223 353329
The views in this study are those of the authors and do not necessarily represent
those of the European Commission
ii
Acknowledgements
The authors would like to express their gratitude to Prof. Jos Dumortier and Dr. Barrie
Irving for their helpful and thoughtful inputs to the study. In addition, the authors would
like to extend their thanks to those present at an Expert Meeting on Identity Theft and
Identity Management held in Brussels on 4-5th October 2010 who provided inputs and
further guidance.
iii
Contents
Preface ........................................................................................................................ ii
Acknowledgements .................................................................................................... iii
Summary .................................................................................................................. vii
CHAPTER 1
Introduction .................................................................................... 1
1.1 The role of technology ....................................................................................... 2
CHAPTER 2
Overall concepts .............................................................................. 4
2.1 What is identity? ................................................................................................ 4
2.2 Is identity theft part of identity fraud? ................................................................ 5
2.3 Conclusions ..................................................................................................... 13
CHAPTER 3
A typology of identity-related crime............................................... 14
3.1 Options for classification and categorisation..................................................... 16
3.2 Identity-related crime for direct economic gain ................................................ 17
3.3 Relationship to other major forms of criminal activity...................................... 17
3.4 The means to perpetrate identity-related misuse ............................................... 18
CHAPTER 4
The consequences of identity-related crime.................................... 25
4.1 The economic costs of identity theft and identity fraud .................................... 26
4.2 Personal impact................................................................................................ 27
CHAPTER 5
Responses and mitigation: criminalisation and identity
assurance
...................................................................................................... 29
5.1 How to approach criminalisation? .................................................................... 30
5.2 Prevention........................................................................................................ 30
5.3 Relevant supranational legislative norms........................................................... 31
5.4 Public-private international collaboration......................................................... 32
5.5 The European policy response.......................................................................... 32
5.6 National responses ........................................................................................... 35
5.6.1 Legislation........................................................................................... 35
iv
5.6.2 Non-legal responses ............................................................................. 35
CHAPTER 6
Conclusions ................................................................................... 37
CHAPTER 7
Country Summaries ....................................................................... 40
7.1 Australia ........................................................................................................... 44
7.2 Austria ............................................................................................................. 45
7.3 Belgium ........................................................................................................... 46
7.4 Bulgaria ........................................................................................................... 47
7.5 Canada............................................................................................................. 48
7.6 China ............................................................................................................... 49
7.7 Cyprus ............................................................................................................. 50
7.8 Czech Republic ................................................................................................ 51
7.9 Denmark ......................................................................................................... 52
7.10 Estonia ........................................................................................................... 53
7.11 Finland ........................................................................................................... 53
7.12 France ........................................................................................................... 54
7.13 Germany .......................................................................................................... 56
7.14 Greece ........................................................................................................... 57
7.15 Hungary .......................................................................................................... 58
7.16 India ........................................................................................................... 59
7.17 Ireland ........................................................................................................... 60
7.18 Italy
........................................................................................................... 61
7.19 Japan ........................................................................................................... 62
7.20 Latvia ........................................................................................................... 63
7.21 Lithuania ......................................................................................................... 64
7.22 Luxembourg..................................................................................................... 65
7.23 Malta ........................................................................................................... 66
7.24 The Netherlands .............................................................................................. 67
7.25 Poland ........................................................................................................... 68
7.26 Portugal ........................................................................................................... 69
7.27 Romania .......................................................................................................... 70
7.28 Russian Federation ........................................................................................... 71
7.29 Slovakia ........................................................................................................... 72
7.30 Slovenia ........................................................................................................... 73
7.31 Spain ........................................................................................................... 74
7.32 Sweden ........................................................................................................... 75
7.33 United Kingdom.............................................................................................. 77
7.34 United States ................................................................................................... 78
CHAPTER 8
Analysis.......................................................................................... 80
8.1 The legal perspective: a comparative overview of legislation.............................. 80
8.1.1 Legislation focusing explicitly on identity theft .................................... 80
8.1.2 Other offences applicable to identity theft incidents ............................ 85
v
8.2
8.3
8.4
Civil sanctions.................................................................................................. 90
Case law review with respect to identity theft ................................................... 91
8.3.1 Introduction........................................................................................ 91
8.3.2 Claiming a false identity online ........................................................... 91
8.3.3 Unlawfully using another person’s credentials ..................................... 94
8.3.4 Phishing .............................................................................................. 98
8.3.5 Using falsified identity documents to unlawfully apply for social
benefits.............................................................................................. 101
8.3.6 Trafficking in unlawfully obtained personal information ................... 103
Identity theft reporting mechanisms ............................................................... 105
8.4.1 Introduction...................................................................................... 105
8.4.2 Ad hoc online and offline identity theft reporting mechanisms .......... 106
8.4.3 Generic reporting mechanisms .......................................................... 107
8.4.4 Other reporting mechanisms and informative sites ............................ 111
8.4.5 Cross-border collaboration and international reporting
mechanisms....................................................................................... 112
CHAPTER 9
Conclusions and recommendations ............................................. 114
9.1.1 Key findings ...................................................................................... 114
9.1.2 Conclusions with respect to legislation .............................................. 115
9.1.3 Conclusions with respect to case law ................................................. 116
9.1.4 Conclusions with respect to reporting mechanisms............................ 116
9.2 Recommendations ......................................................................................... 117
REFERENCES ........................................................................................................ 121
Reference List ........................................................................................................... 122
Appendices.............................................................................................................. 125
Appendix 1: National Profiles................................................................................... 126
vi
Summary
Identity has been termed the ‘central organising principle’ of the information age.
Undoubtedly, identity represents a currency for modern developed societies, and for
developing economies it acts as a gateway to further economic growth.
As far back as 1997, Peter G. Neumann was writing about a worrying rise in identity
theft.1 Although he stated that computer access was not essential for identity theft, he
identified that ‘remote, global, and possibly anonymous access’ would greatly increase these
risks. Dr Collins, former director of the Michigan State University Identity Theft
Partnership in Prevention programme and the Identity Theft Crime and Research Lab,
warned that identity theft and not terrorism may be the crime of the future.2 Bruce
Schneier, founder and CEO of Counterpane Internet Security, Inc, has called identity
theft ‘the new crime of the information age.’3
However, identity theft not only targets online activities. The increasing importance of
identity infrastructures in the delivery of public services or as part of border control
measures attracts those looking for opportunities to exploit vulnerabilities as part of their
own criminal enterprises. Forms of offline identity theft include passport forgery, the
forgery of administrative and official documents and the collection of identity-related
information from ‘dumpster diving’.
Nonetheless, despite increasing media interest and concern expressed by experts there is
still wide disagreement about what identity theft actually is. This is made worse by the
complexity of understanding identity not as a property that cannot be stolen as such (since
the use of information by one person does not generally deprive the other of its use),
rendering the metaphor of identity ‘theft’ somewhat inappropriate and misleading. Some
argue that identify theft is not a distinct crime in and of itself, and that it should mainly be
dealt with in the context of its relationship to other (possibly unlawful) activities that may
be facilitated by it. They argue that identity theft is part of identity fraud or a wider set of
identity-related abuses. Others claim that the ubiquity of technology, coupled with
globalisation, has led to the emergence of illegal identity ecosystems with criminals
committing ‘thefts’ but not subsequently using these identities (for other illegal purposes),
other than selling them to others. This, it is argued, means that identity theft should be a
1
Neumann (1997)
2
Collins (2003)
3
Schneier (2004)
vii
RAND Europe & time-lex
Summary
separately defined crime in order to effectively deal with this type of activity. Others still
contend that the collection and/or sale of identities without lawful justification is already a
crime in its own right, since it constitutes a violation of European data protection rules,
and that the problem lies mainly in the effective enforcement of these rules.
Notwithstanding this, there are a number of ways in which identity theft or fraud may be
perpetrated, both with and without the use of technology. Examples include shoulder
surfing, suborning corrupt officials, stealing physical blanks of identity documents (eg,
credit cards or passports), phishing, pharming and hacking. These methods may all be used
in a blended fashion to acquire or steal identity and use it for further purposes. The
research described in our report indicates that economic gain is by far the most popular
motivating factor for committing identity theft or fraud. Other types of criminal or illegal
activity identified in the literature that may be facilitated by identity theft as a precursor
activity include money laundering, various types of fraud (of which there are many), illegal
immigration, personal vendetta, corruption and terrorism. This was recognised by Europol
in its 2006 EU Organised Crime Threat Assessment report.
The outcomes of identity-related crime include direct consequences for the individual and
different types of stakeholder (eg, businesses and governments). There may be longer-term
indirect consequences including the loss of trust that may occur as a result of abuse of
identity infrastructures and the increased costs that may be passed onto consumers and
citizens as a result of public and private sector organisations having to invest more in secure
identity and authentication infrastructures. Direct consequences to the individual include
the money that is stolen from them, the amount they have to pay in reconstituting their
name, the loss of earnings or lost opportunity cost as a result of damage to reputation
caused by becoming an identity theft victim, and time and effort spent in taking restorative
action. Victims might also suffer opprobrium from being mistakenly associated with
crimes where their identity was used for example, illegal immigration or terrorism. This
might be exacerbated by false imprisonment and other consequences of not being able to
clear their name.
Addressing this challenge is unique as it sits astride the boundary between both the public
and private sectors: incentives to solve or address problems are external to those most
affected and there is no single ‘magic bullet’ that will eliminate the problem. Persistence,
cooperation, coordination and communication will be necessary to overcome a multitude
of barriers currently blocking effective solutions. These were all things highlighted by the
European Commission’s own Action Plan to prevent fraud on non-cash means of payment
(2004–07) which reflected that ‘identity theft is a cross sector problem, affecting
governments, businesses and citizens... and is often linked to organised crime.’ There are
interesting parallels between identity theft and efforts to address cybercrime. As with
information technology, identity is both the target and the means of abuse. There are other
parallels too, most notably in the transnational nature of identity theft and identity-related
crime, the need for public and private sectors to work together, and the importance of
‘soft-law’ measures in addressing the problem. Indeed, it may be seen that reducing the
opportunities available in the first instance, by the state encouraging citizens to take greater
responsibility for their identities, consistitues an attractive route to addressing this type of
malicious activity. There are also myriad definitional aspects to the challenge.
viii
RAND Europe & time-lex
Summary
Analysis
In the three tables below we present an overview of the countries profiled in this study.
Table 1, below, indicates which countries have specific criminal legislation dedicated to
identity theft or have relevant provisions in other criminal law. It also shows where specific
case law exists. Whether each country has a specific dedicated reporting point for identity
theft crime is noted, as is the existence of public awareness campaigns.
Table 1 Overall country comparison
Country
Specific ID theft Relevant
law?
provisions in
criminal law?
Case law?
Australia
Austria
Belgium
Bulgaria
Canada
China
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
India
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malta
The Netherlands
Poland
Portugal
Romania
Russian Federation
Slovakia
Slovenia
Spain
Sweden
United Kingdom
United States
ix
Specific
Public
dedicated
awareness
reporting point? campaign?
RAND Europe & time-lex
Summary
Table 2 Maximum and minimum available criminal sanctions
Country
Australia
Austria
Belgium
Bulgaria
Canada
Sanction
Maximum criminal sanction
Up to 10 years (Criminal Code Part 7.3)
Up to 10 years (Sec 148a StGB Penal Act)
Minimum criminal sanction
1 year (Criminal Code Part 7.4)
3 months (Sec 108 Federal Act Enacting a
Telecommunications Act - TKB - 2003)
15 days (Art 124 of Law of 13 June 2005)
Up to 1 year (e.g. Art 319e Para 1 of Criminal Code)
Up to six months (Section 342.01 Criminal Code)
Czech Republic
Up to 10 years (Article 196 Criminal Code)
Up to 20 years (e.g. Art. 212 Criminal Code)
Up to 14 years (Section 380(1) of the Criminal
Code)
Death (Article 192, 194 and 195 of Criminal
Code)
Up to 14 years (Part VIII of the Criminal Code.
Section 333)
Up to 12 years (Section 209 Criminal Code)
Denmark
Up to 6 years (Article 171 Criminal Code)
4 months (Act No 429 on the processing of personal data)
Estonia
Up to 1 year (Section 344)
Luxembourg
Malta
Up to 5 years (Section 213 of the Criminal
Code)
Up to 4 years (Section 2 of Ch 33 of the
Criminal Code)
Up to 10 years (Article 441-4 Criminal Code)
Up to 10 years (Section 263(1) Criminal Code)
Life sentence (Article 1 of Law 1608/1950)
Up to 10 years (Article 318 Criminal Code)
Up to 10 years (Section 70, IT Act 2000 and
2008)
Up to 10 years (Section 9 Criminal Justice
(Theft and Fraud Offences) Act 2001)
Up to 6 years (Art 497bis Criminal Code)
Up to 10 years (Article 246 Penal Code)
Up to 15 years (Section 177(1) Criminal Code)
Up to 6 years (Section 2 of Article 196 of
Criminal Code)
Up to 10 years (Article 196 Criminal Code)
7 years (Article 308, Chapter 9 Criminal Code)
The Netherlands
6 years (Article 255 Criminal Code)
Poland
Up to 8 years (Article 286 Section 1 Criminal
Code)
Up to 10 years (Article 4 Cybercrime Law; Law
no. 109/2009)
Up to 20 years (Art 215 Criminal Code)
Up to 10 years (Article 159 Criminal Code)
At least 3 months (Article 287 Section 1 Criminal Code)
Up to 15 years (Article 221 Criminal Code )
Up to 10 years (Article 211 Criminal Code)
Up to 8 years (Article 399bis Criminal Code)
6 years (Chapter 9 Section 3 Penal Code).
Up to 10 years (Fraud Act 2006)
At least 6 months (Article 226 Criminal Code)
At least 3 months (e.g. Article 237 Criminal Code)
At least 3 months (Article 392, no. 2)
6 months (9 Section 2 Penal Code)
12 months (Section 2. Computer and Misuse Act 1990 as
amended by Police and Justice Act 2006)
Up to 1 year (Section 2701-2711 Criminal Code)
China
Cyprus
Finland
France
Germany
Greece
Hungary
India
Ireland
Italy
Japan
Latvia
Lithuania
Portugal
Romania
Russian
Federation
Slovakia
Slovenia
Spain
Sweden
United Kingdom
United States
Life imprisonment (Title 18 Section 1030 US
Criminal Code)
Up to three years (Art 23bis of Criminal Code)
At least 2 years (Section 10 of law of 2004 ratifying
Cybercrime convention)
6 months (Section 232 (1) (a) or (b) of The Criminal Code)
At least 4 months (Section 2 of Ch 36 of Criminal Code)
Up to 1 year (222-16-1 Criminal Code)
Up to six months (Section 269 (3) Criminal Code)
3 months (Section 370C(2) Penal Code)
Up to 1 year (Article 276 Criminal Code)
Up to three years (Section 66 A IT Act 2000, 2008)
Up to 3 months (Section 5 Criminal Damage Act 1991)
At least 6 months (Article 640 Criminal Code)
At least three months (Art. 258 Penal Code)
Up to 2 years (Section 145 Law of 23 March 2000)
Up to 2 years (Art. 198(2))
At least 8 days (Article 231 of the Criminal Code)
Not exceeding 20 days (Article 308, Chapter 9 Criminal
Code)
Maximum 1 month (Section 1 Article 350b Criminal Code)
At least 6 months (Article 256 Criminal Code)
At least 3 months (Article 291 Criminal Code)
Up to 3 months (Article 325 Criminal Code)
Table 2, above, indicates the maximum and minimum criminal sanctions available from
criminal law provisions in each country.
x
RAND Europe & time-lex
Summary
Country
Australia
Austria
Belgium
Bulgaria
Canada
China
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
India
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malta
The Netherlands
Poland
Portugal
Romania
Russian Federation
Slovakia
Slovenia
Spain
Sweden
United Kingdom
United States
Online
Online
Online
Online
None
None
None
None
None
Offline
Online
None
None
Online
None
Offline
Offline
Online
None
Online
Online
None
Online
Online
None
Offline
None
Online
None
None
None
None
Online
Online
n/a
n/a
n/a
n/a
n/a
Feedback
All crime
ID theft
Dedicated
off/online portal?
Table 3 Reporting mechanisms
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a n/a
n/a n/a
n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
Table 3, above, illustrates in further detail the existence of reporting mechanisms, whether
they are on- or offline, and whether they cover identity theft specifically or all forms of
crime. Finally, the table illustrates whether there is a feedback mechanism for keeping the
victim or individual who made the report appraised of the progress of the case.
xi
RAND Europe & time-lex
Summary
Conclusions
In attempting to categorise identity-related crime, there are a number of dimensions which
may be relevant, including: the role of information technology in the commission of the
activity; the mechanisms used to obtain or fabricate identity information; the types of
identity information and stakeholder targeted; and the resultant use that identity
information is put to (for example, defamation or character assassination, crimes against
persons, infiltration of organisations for espionage, sabotage, terrorism, drug smuggling,
money laundering, illegal immigration, etc.). Furthermore, identity-related misuse/crime
can be categorised according to its purpose (related to, but different from consideration as
to whether it is fraud or a separate distinct form of criminality as described above). In any
respect, the most popular motives for the use of stolen identity documents are financial,
and include obtaining and using credit, procuring cash and fraudulent loan applications.
When examining how countries attempt to address identity theft and identity-related
crime from a policy perspective, the central conclusion of this study is that there exists a
fair amount of difference. A minority of countries, most obviously the United States, have
enacted specific identity theft legislation. Others, such as Canada or France, address the
problem by dealing with precursor activities through the prism of criminal law. On the
whole, however, out of the countries studied there exists little specific identity theft or
identity-related crime law, with most using existing fraud or forgery legislation.
This brings us to the problem of where best to intervene, since the cross-border potential
of these forms of misuse (especially where identity theft and identity-related crimes are
linked to organised crime, money laundering or terrorism) requires concerted action
amongst Member States but also at the EU level.
The complexities of bringing into force a single pan-European instrument are not
insignificant. As Chapter 1 shows, a generally agreeable definition of identity theft remains
elusive amongst practitioners, experts and academics. It seems that many on the front line
take the view that ‘we know it when we see it’, but of course this approach has its limits:
whilst it may be sufficient for police and operational level coordination, cross-border cases
require a rather clearer understanding. Furthermore the absence of a clear definition makes
the collection of statistics (necessary to appropriately tailor any response) difficult.
Nonetheless, the evidence presented in this report indicates that key policy priorities
should revolve around the sharing of best practices and improving communication. The
latter should apply both to exchanges between victim and investigator, and between
investigators in different Member States. Setting up one-stop shops is a key part of the
solution, as these allow identity victims to more easily report identity crimes, and can also
act as a communications device to enable investigators to keep the victims updated on the
status of specific investigations. Indeed, such an approach is reflected in the Stockholm
Programme, where the European Commission was invited to take measures to
enhance/improve public-private partnerships. The study has identified several good
practice examples of such one-stop shops in Member States.
A second pivotal point is the collaboration between national investigative bodies through
an EU contact network, as is foreseen in Council Framework Decision 2005/222/JHA, at
least for electronic identity theft, and in the Council Conclusions of March 2010 on
xii
RAND Europe & time-lex
Summary
implementing a concerted strategy to combat cybercrime, which envisages a variety of
softer measures such as:
•
The consolidation and if necessary updating of the functions of the European
Cybercrime Platform (subsequently elaborated in the remit of Europol’s European
Union Cybercrime Task Force and the Internet Crime Reporting Online System
(ICROS).
•
Foreseeing a permanent liaison body with user and victim organisations and the
private sector.
These should facilitate interactions at the European level, which would improve the
effectiveness of European-scale investigations, with the additional benefit that such
experiences could be extended to other categories of criminal investigations. Further down
the road, it is equally important to extend this approach to other countries (as foreseen in
the Convention on Cybercrime), which will require renewed policy attention on this
point.
Finally, identity theft also clearly faces the challenge of policy priority. This is not a matter
of putting in place suitable legislation (which law applies) or addressing operational
challenges (who to talk to in international investigations), but simply a matter of
prioritisation: which cases of identity theft are worth investigating and prosecuting? The
question is not trivial: especially in international cases with an Internet component (eg, the
creation of false identities to enable fraud), investigations can be complex and very time
consuming, and as a consequence also very expensive. The country reports identified
several instances where cases were not followed up on, simply because of a real or perceived
disproportion between the harm suffered by the victim and the resources required to take
action (especially considering the uncertainty of the outcome beforehand). This is,
however, a challenge which applies to most categories of international crime, especially
those conducted via the Internet, where traces are often easier to hide by a skilled criminal.
Here, too, a common position needs to be found at the international level, since
differences in investigation and prosecution priorities between countries will only lead to
investigations in one country being blocked if they are not considered important enough
by investigators in a second country.
In summary, the reports have identified that there is indeed some variation between the
examined countries in the classification of identity-related crimes and their follow-up in
practice. However, and more importantly, this lack of common criminalisation rules does
not seem to be the key problem in effectively addressing identity theft challenges, as any
examined incident of identity theft is conceivably covered by one or (in most cases) more
possible criminal classifications. In theory, the European data protection rules (ie, a
qualification as unlawful processing of personal data) could act in this respect as a
convenient catch-all safety net for incidents with an otherwise unclear legal status, with the
added benefit of being common at the EU level. However, while the collected evidence
shows that data protection rules could play this unifying role in theory, it should also be
duly acknowledged that the reality is much different. Data protection rules are only rarely
applied to cases of identity theft in practice, as can been seen in the examined case law.
Enforcement of data protection rules is thus not likely to be an effective strategy to address
xiii
RAND Europe & time-lex
Summary
identity-related crime, unless the emphasis on enforcement of these rules is improved
significantly. In that light, it is not surprising that some countries have chosen to introduce
further qualifications with respect to identity theft, either as a matter of national preference
or with a view to ensuring that identity theft is given a higher priority.
While the lack of a common criminalisation framework does not appear to be the primary
barrier to effectively combat identity-related theft (at least not more so than for other types
of crime), cooperation between countries in the course of investigations and actual followup of reported cases is an issue. The country reports show that interactive online reporting
mechanisms are not yet prevalent, and that their functionality (when available) is generally
limited. Even when they allow victims to register complaints, the follow-up of the
complaint is in many cases unclear, and correspondents for the surveyed countries
frequently noted that investigations into specific incidents were not treated as a high
priority or closed relatively quickly when damages were unclear or perceived to be limited.
Whether or not a reprioritisation is required in this respect is, of course, mostly a policy
issue.
However, it does seem clear that a more effective response to identity theft incidents
requires two areas to be addressed as a priority. Firstly, cross-border criminal investigations
should be streamlined, both at the EU and international levels, building on the legal
frameworks that have already been mentioned. This requires more effective
communication between national investigative authorities, and preferably also a consensus
on which cases will be considered a priority for investigation, in order to avoid wasted
resources. Secondly, the reports show that reporting mechanisms (when available) are
generally perceived as useful by the victims, provided that they indicate clearly how
complaints will be processed, and most importantly that the victim receives follow-up
communication indicating what the status of a specific complaint is. Such reporting
mechanisms (or more accurately communication mechanisms, since feedback is required)
can be implemented building on existing good practices identified in certain Member
States.
Finally, the frequent use of such reporting mechanisms would also support the more
systematic collection of statistical data on identity theft and identity-related crime,
including the prevalence of specific categories of identity theft and identity-related crime,
their consequences to the victim, and possibly the outcome of any investigations. Such
data are currently largely unavailable at the national level, and mostly incomparable at the
European level even when they exist. Improving the availability of statistical data would
improve awareness of identity theft and identity-related crime risks, increase know-how,
and facilitate policy making at the national and European level, if implemented in a
sufficiently homogeneous way across the Member States.
Based on this approach, reporting of identity theft incidents could be improved, as could
the follow-up of complaints and the effectiveness of international investigations.
In summary, our study illustrates that in many EU Member States, despite the absence of a
single pan European instrument governing identity theft, there is no clear evidence of any
significant gaps in legislative responses. However, there remain a number of challenges in
respect of implementation and interpretation of existing laws with respect to identity theft,
most notably the applicability of existing rules with varying sanctions to identity theft
xiv
RAND Europe & time-lex
Summary
incidents, and the disparities observed in non-legal responses (e.g. presence of and efficacy
of reporting points, awareness campaigns and so on) which arguably are, as the UNDOC
report illustrates, potentially more viable routes to addressing these forms of misuse.
Understanding the implications of any European intervention to address these issues might
thus best be served through further research into the costs and benefits of different options
for addressing identity theft and identity related crime (an exercise outside the scope of this
exercise), for example through a more formal regulatory impact assessment.
Structure of the remainder of this report
The rest of this document is structured in the following way: Chapter 1: Introduction and
Chapter 2: Overall concepts discuss the general factors that impinge upon identity theft and
identity-related crime, giving a definition of identity and exploring some of the
characteristics of the misuse of identity-related information (including whether identity
theft should be considered as part of identity-related fraud or separately). A number of
interesting conceptual frameworks are presented which illustrate the definitional
complexities inherent in this field. Chapter 3: A typology of identity-related crime gives a
more detailed summary of different attempts in the literature to define the means by which
identity theft takes place in both the online and offline worlds. This chapter also reflects on
the use of identity theft as a precursor activity to the commission of other forms of crime
such as corruption, fraud, terrorism and money laundering. Chapter 4: The Consequences of
identity-related crime presents a framework for understanding the direct and indirect
personal and organisational consequences of identity theft, ranging from the costs to rectify
the direct damage caused to broader socio-economic consequences (such as damage to
society, loss of trust and transferred costs that those responsible for identity infrastructures
may pass on to the consumer or citizen). Chapter 5: Responses and mitigation talks about
criminalisation, legal efforts and identity assurance as the main means by which the
challenges associated with identity theft and identity-related crime might be addressed.
Chapter 6: Conclusions, brings together the findings of the previous chapters from the
analysis of the state of the art. Chapter 7: Country summaries contains short outlines of each
national country profile contained in the separate D2: Interim Report: National Country
Profiles. Chapter 8: Analysis lays out our impressions from the country profiles in a
structured format, and Chapter 9: Conclusions and Recommendations explains how these
impressions lead us to the recommendations as summarised above.
xv
CHAPTER 1
Introduction
In this introduction we highlight the growing importance of identity, establish the
conceptual differences between identity and personal data and discuss some important
overarching issues relating to the drivers of the emergence of identity theft and identityrelated misuse.
Identity is everywhere and a universal property. Governments and nation states rely upon
identity to identify and verify citizens and for ‘key aspects of governance’ including
national security and crime (via the identification of criminals and terrorists) but also
immigration and taxation. The private sector and individuals also use identity for banking,
property ownership and a wide range of other transactions.
Identity is more than a document. It may take the form of a set of information and
documentation (some of which may be paper and have specific legal status while others
might be in electronic form) that can be used to establish who we are as unique individuals
and also link to other information about us. The criminal misuse of identity is a major
concern precisely because of its universal and ubiquitous nature, and because of its pivotal
role in structuring societal interactions.
The use of identity-related information by public and private sectors, while not new, has
been catalysed by a range of trends including the emergence and popularity of technology
such as the Internet, cheap computing and broader societal trends including mobility,
globalisation and cheaper air travel. Technology has brought about new vulnerabilities –
especially via unsecured personal computers – and made existing identity infrastructures
more vulnerable (eg, by facilitating document forgery). Many have argued that this
constitutes technology enabled crime, whether the technology is being used to perpetrate
offline forms of identity crime (eg, via the use of high quality printers) or is conducted
entirely online (eg, via phishing). Technology is a double-edged sword: it both changes and
makes more efficient and effective the way in which identity can be established, but also
has similar effects on the way identity can be abused. Some have said that technology has
‘centralised’ identification infrastructures and concentrated data.4 Technology also permits
new and sophisticated methods of committing existing crimes, such as through the use of
the Internet to perpetrate advance fee fraud or the distribution of fake phishing emails in
order to dupe individuals into divulging personal data. The increased mobility of
4
Chryssikos et al. (2008)
1
RAND Europe
Chapter 1 Introduction
individuals, facilitated by cheap air travel, also presents further opportunities for
immigration-related fraud, passport forgery and abuse of travel-related identity
documentation. Economic globalisation, meanwhile, renders public and private identity
infrastructures more complex and transnational, resulting in an expansion of the playing
field for those looking to exploit loopholes. Thus, although transnational fraud
(inextricably linked to the canon of identity-related crime) is an old problem, it has been
increasingly expanded in scope by economic globalisation and supporting technologies.
These risks and vulnerabilities are not only characteristic of developed countries, however.
Although developing countries may rely more on paper-based identity documents,
technology has rendered these vulnerable and the drivers for migration also present rich
opportunities for criminals looking to deceive expectant migrants looking to move to a
perceived ‘better life’.
1.1
The role of technology
Technological advances and the broad uptake of their new applications can have a
significant impact on the way identity crimes are committed and the targets that they are
committed against, as well as on the prevalence of identity crimes and the type of skills
used by the offender. Technological capacity (eg, the ability to store large amounts of data
at remote locations or on portable devices) means that more information of the type
necessary to commit an identity crime may be digitised and stored and therefore available
to (legal or illegal) access. Not only may the information necessary to commit identity
crime be more widely available, it may also be easier to gain access to information to
commit identity crime by using the characteristics of targets (eg, Internet users might
become easier targets). Choo et al. present a useful overview of future directions in
technology-enabled crime for the Australian Government’s Institute of Criminology where
they highlight that developments in digitisation, along with globalisation, the emergence of
payment and funds transfer systems and the growth of e-government are all driving various
forms of technology enabled crime (a term which by implication includes some of the
more popular forms of identity theft and fraud).5
Criminals also seem to be what is known in the business world as ‘early adopters’,
individuals who are taking up new technologies and creatively applying them for their own
purposes. Consequently, some authors have postulated that new technologies will benefit
criminals more while law enforcement will always lag behind, trying to catch up.6
The 2003 Cyber Trust and Crime Prevention (CTCP) study concluded for the UK
Foresight office also described the way in which criminals might take advantage of
technological developments and explored what technological solutions might be available
to reduce these risks and encourage trust in identity infrastructures.7
5
Choo et al. (2007)
6
Savona & Mignone (2004)
7
Cyber Trust and Crime Prevention (2004)
2
RAND Europe
Chapter 1 Introduction
Specific technological developments that might have an impact on identity theft include
the increasing use of high-speed connectivity (wireless technologies such as WiFi, and 3G
radio technologies) and the decreasing cost and size as well as increasing processing power
of microprocessors. These help to enable identity infrastructures allowing more efficient
processing of identity-related information via the transmission and reception of such
credentials in digitised form. Furthermore, increasingly powerful microprocessors permit
more and more complex forms of identification to take place. The decreasing cost, size and
increasing capacity of storage devices (such as USB sticks and solid state disk drives) is
another driver as it facilitates more and more storage of digitised identity-related
information.8
8
Cave, J., et al. (2010)
3
CHAPTER 2
Overall concepts
In this chapter we present overall definitions of identity and explore some of the
characteristics of the misuse of identity-related information such as identity theft, identityrelated fraud and identity crime.
2.1
What is identity?
Identity may be defined as ‘the individual characteristics by which a thing or person is
recognised or known’.9 A more precise definition is the subject of much philosophical
thought – identity can be thought to be related to whether an entity is self aware. Others
have argued that the idea of identity changes over time or in relation to events.10 Identity
information has been recognised as the currency of the modern developed society: a
‘central organising principle’11 around which the public and private sector increasingly
organises itself and which generates economic growth, value and efficiency.
The defining qualities of identity in the current era, where a seemingly infinite amount of
information is held electronically or is available online, have been summarised by the Joint
Research Centre of the European Commission as follows:
Each person has a unique identity, but in the digital age, many pseudo identities exist,
and these may be artefacts of a person or elements of a piece of hardware or software or
even an organization. Other qualities, including the actions of persons, can be attached
or linked to their identity, and people do not need to divulge their identity for all
transactions.12
The increasing complexity associated with understanding who one is really dealing with in
any one transaction is thus the chink through which offenders and criminals can abuse
identity information.
9
Definition by WordNet Search 3.0. As of 25 January 2011, available at:
http://wordnetweb.princeton.edu/perl/webwn
10
Olsen (2002)
11
Madeline, J., Speech to the 2005 Annual Symposium of the Information Assurance Advisory Council
12
Mitchison et al. (2004)
4
RAND Europe & time-lex
2.2
Chapter 2 Overall concepts
Is identity theft part of identity fraud?
In 1994, Roger Clark wrote that:
Human identity is a delicate notion which requires consideration at the levels of
philosophy and psychology. Human identification, on the other hand, is a practical
matter. In a variety of contexts, each of us needs to identify other individuals, in order
to conduct a conversation or transact business.13
Based on this distinction between the vague and multifaceted concept of ‘identity’
compared to the more applied problem of ‘identification’, the use of the term ‘identity’ in
conjunction with ‘theft’, ‘fraud’, ‘crime’ or similar terms has undergone some criticism.14
However, when ignoring the conceptually easier to define and seemingly more correct
usage of ‘identification’ instead of ‘identity’, the next question is the definition of ‘identity
theft’, ‘identity fraud’ and ‘identity crime’.
The less commonly used ‘identity crime’ (or even ‘identity-related crime’) might be
terminology-wise more sound. Indeed this was the approach taken by the UN ISPAC in a
major international conference in 2007.
The difficulty of linking the relatively well understood legal definition of ‘theft’ to a
information-centric concept of ‘identity’ is because the informational characteristics of
identity (non-exclusivity) renders the assignment of the status of property (and hence theft)
complex; because one person is falsely using the identity of the other does not necessarily
mean that the victim is deprived of his or her identity. Legal definitions of the constructs
of theft and fraud may thus have an impact when considering the use and definition of
‘identity theft’ and ‘identity fraud’. As pointed out in the FIDIS report on the Dutch Penal
Code (and this applies to many other criminal codes in the world) theft requires the loss of
possession of tangible goods; consequently the applicability of the concept of theft with
respect to identity might be limited. Usage of the notion of ‘theft’ may also undermine the
reality that there is not only a criminal but also a civil aspect to identity theft/fraud that
may bring with it a tort liability for damages.15
Indeed, it may be more a question of interfering with the exclusivity of identity and the
rights and obligations related to it within our societal system. Broadly defined, ‘identity
crime’ would cover any crime that involves the fraudulent use of identity information,
whether that information refers to an actual (living or deceased16) natural person, an
existing organisation (ie, a legal person), or to a fictitious person. Abusing identity
information would in turn entail falsifying it, ‘stealing’ it, or accessing it unlawfully by
other means. The International Scientific and Professional Advisory Council (ISPAC) of
the United Nations Crime Prevention and Criminal Justice Programme remarked in its
13
Clark (1994)
14
Sproule & Archer (2007)
15
FIDIS (2006)
16
‘Stealing’ the identity and sometimes the societal role of a dead person, who is not widely known to be
deceased, is called ‘ghosting’
5
RAND Europe & time-lex
Chapter 2 Overall concepts
report from the 2007 International Conference on ‘The evolving challenge of identityrelated crime: addressing fraud and the criminal misuse and falsification of identity’ that:
Different terms such as identity theft and identity fraud are used in various
jurisdictions to describe the same conduct and in additional there is a lack of concerted
action to combat such conduct.17
Indeed, in the remainder of its report and discussions, the term ‘identity-related crime’ was
subsequently agreed upon.
Given the prevalence of the terms ‘identity theft’ and ‘identity fraud’18 (which perhaps may
be recognised as different aspects of identity-related crime) their relationship and definition
will be essential for any research in this area. The difficulty that the lack of a commonly
accepted definition of ‘identity theft’ and ‘identity fraud’ poses for statistical comparisons,
research purposes, and policy formulation has been stressed by several authors such as
Koops & Leenes,19 Sproule & Archer,20 and in the World Privacy Forum’s report on
medical identity theft.21
There are a number of different ways in which the relationship between the terms ‘identity
theft’ and ‘identity fraud’ can be viewed22:
•
•
•
Identity theft and identity fraud are frequently used interchangeably in media and
public awareness reporting (often in blogs and websites)
Identity theft as the initial activity that is followed up subsequently by identity
fraud
Identity theft as a subset of identity fraud23
Examples of those that treat identity theft as the initial activity followed by identity fraud
include Collins, who indicates that:
Identity theft, however, is to be distinguished from identity crimes – those offences
committed using the stolen personal or business identifying information – or ‘identities.’
Thus, the conceptual relationship between identity theft and identity crime is that the
former facilitates the later. In short, stolen identities are used to commit many other
crimes which is why identity theft also can be viewed as an all-encompassing or
17
Chryssikos et al. (2008)
18
As of 25 January 2011, the term ‘identity theft’ has 22.5 million Google and 23,500 Google Scholar hits,
followed by 324,000 Google and 3,590 Google Scholar hits for ‘identity fraud’, and by 82,300 Google and
373 Google Scholar hits for ‘identity crime’
19
Koops & Leenes (2006)
20
Sproule & Archer (2007)
21
World Privacy Forum (2006)
22
Sproule & Archer (2007) list another distinction that is commonly used in the US banking industry. This
differentiation views ‘identity theft’ as a subset of ‘identity fraud’, with identity theft describing fraud linked to
the opening of a new account using someone else’s identity, while identity fraud is the use of an existing
account by an unauthorized person
23
See Koop & Leenes (2006) and FIDIS (2006)
6
RAND Europe & time-lex
Chapter 2 Overall concepts
overarching megacrime… Personal identity theft is the unauthorized acquisition of
another individual’s personally sensitive identifying information: personal identity
crime is the use of such information to obtain credit, goods, services, money, or property,
or to commit a felony or a misdemeanour… The theft and the crime are two different
offences, each with its own structure of penalties and fines.24
This indicates that the questions of complementarity or independence of the notion of ID
theft remains unresolved and needs to be tackled: in other words, it is pivotal to assess
whether or not ID theft can be considered as a crime as such (even if the stolen identity is
not used for other illegal purposes), or to the contrary whether ID theft may exist only
against the backdrop of a bigger criminal intent, called ‘megacrime’ by Collins.
A consultation that took place in 2004 as part of the Canadian government’s efforts to
design new legislation proposed a ‘double-branched’ definition of identity theft. This
required splitting it into two stages: a pre-attempt or preparatory stage of ‘acquiring,
collecting and transferring personal information and a subsequent stage as the actual use of
personal information in the attempt or actual commission of an offence’. This is ultimately
characterised as a continuum of criminal behaviour which starts with identity theft and
finishes with identity fraud.25 This ‘preparatory act’ approach is also used by the US
Identity Theft and Assumption Deterrence Act. While acknowledging the advantage of a
flexible and broad definition for law enforcement, Sproule & Archer regard this as being
too broad for research purposes.26 Finally, a 2005 report from Javelin used the term
‘identity theft’ to describe unauthorised access to personal information and ‘identity fraud’
as the use of that information to achieve illicit financial gain. Indeed, one can occur
without the other: identity information may be stolen from a corporate data centre and
then posted (yet not sold) on the criminal underground on the Internet and similarly
relatives may be given access to PIN numbers to act via proxy yet then misuse these
numbers for their own benefit.27
By comparison, in understanding and treating identity theft as a subset of identity fraud,
Lacey & Cuganesan define identity theft as an activity involving an individual ‘falsely
representing him or herself as another real person for some unlawful activity’ while
‘identity fraud comprises both the use of a real person’s identity (identity theft) as well as
that of a fictitious identity’.28 Gordon et al. indicate that for them, identity fraud ‘is
defined as the use of false identifiers, fraudulent documents, or a stolen identity (identity
theft) in the commission of a crime… Identity fraud is broader than identity theft in that
identity fraud refers to the fraudulent use of any identity, real or fictitious, while identity
theft is limited to the theft of a real person’s identity’.29 It is clear that to these authors, as
24
Collins (2005) [cited in Sproule & Archer (2007)]
25
Canadian Department of Justice (2006) [cited in Sproule & Archer (2007)]
26
Sproule & Archer (2007)
27
Javelin (2005) [cited in Sproule & Archer (2007)]
28
Lacey & Cuganesan (2004)
29
Gordon et al. (2004)
7
RAND Europe & time-lex
Chapter 2 Overall concepts
well as for the abovementioned sources, ID theft is not necessarily an independent crime.
Rather, it may exist only in conjunction with other illegal behaviours, so that ID theft
should be considered as being complementary to crimes such as fraud, corruption,
terrorism, etc.
Some definitions of identity theft, such as that proposed by the Organisation for Economic
Co-operation and Development (OECD), focus upon an act in which an existing (natural
or legal) person’s information is used in connection with a crime: ‘[identity theft is] when a
party acquires, transfers, possesses, or uses personal information of a natural or legal person
in an unauthorised manner, with the intent to commit, or in connection with, fraud or
other crimes.’30
By contrast, Grijpink’s understanding covers the use of identity theft based on the creation
of a fictitious person: ‘Someone with malicious intent consciously creates the semblance of
an identity that does not belong to him, using the identity of someone else or of a nonexistent person’.31
The 2006 EU Future of Identity in the Digital Society project further develops these
intricacies in its conceptual framework for identity-related activities shown in Figure 1.32
Figure 1 Conceptual framework of identity-related activities
In this framework, identity theft is presented as a subset of identity fraud. The FIDIS
study also emphasises that not all identity-related activities are unlawful; there are lawful
identity changes, including public sketch situations like practical jokes with a hidden
camera where an actor assumes a different role.
Koops & Leenes, referring to a similar framework like the FIDIS report, highlight that
when tackling identity-related crimes (which they see as a wider umbrella term) lawmakers
and law enforcement agencies have to take into account not only situations where the use
of another person’s identity happens without the person’s consent but also when it
30
OECD (2008)
31
Grijpink (2003), p.148
32
FIDIS (2006)
8
RAND Europe & time-lex
Chapter 2 Overall concepts
happens consensually yet unlawfully.33 Such a situation can occur if an unlawful identity
delegation or exchange harms a third party.
Definitions can vary also with respect to the identifiers used. While, for example, the UK
Cabinet Office defines identity fraud as the case where ‘someone takes over a totally
fictitious name or adopts the name of another person with or without their consent’, and
thus refers only to the use of a name (fictitious or existing), most other definitions are not
restricted in this respect.34
There are also domain-specific definitions such as the definition of identity fraud by the
Dutch Ministry of Justice as ‘forms of misuse or fraud with respect to identity and identity
data, with which a person or a group of persons intends unlawfully to claim government
services, or otherwise to derive a benefit unlawfully’35 – in this interpretation, ID theft is
thus complementary to the commission of fraud
Another more domain-focused definition of identity theft is provided by the World
Privacy Forum. It characterises medical identity theft as ‘theft [that] occurs when someone
uses a person's name and sometimes other parts of their identity – such as insurance
information – without the person’s knowledge or consent to obtain medical services or
goods, or uses the person’s identity information to make false claims for medical services or
goods. Medical identity theft frequently results in erroneous entries being put into existing
medical records, and can involve the creation of fictitious medical records in the victim’s
name.’36
Table 4, below, provides a comparative overview of definitions from a number of different
sources:
33
Koops & Leenes (2006)
34
UK Cabinet Office (2002)
35
Dutch Ministry of Justice (2003)
36
See (as of 25 January 2011): http://www.worldprivacyforum.org/medicalidentitytheft.html
9
RAND Europe & time-lex
Chapter2: Overall concepts
Table 4 Comparative overview of defintions
Source
(a) Identity crime / identity-related
crime
(b) Identity theft
US Identity Theft
and Assumption
Deterrence Act
Whoever knowingly transfers or uses, without
lawful authority, a means of identification of
another person with the intent to commit, or
otherwise promote, carry on, or facilitate any
unlawful activity that constitutes a violation of
federal law, or that constitutes a felony under
any applicable state or local law.
OECD (2008)
ID theft occurs when a party acquires,
transfers, possesses, or uses personal
information of a natural or legal person in an
unauthorised manner, with the intent to
commit, or in connection with, fraud or other
crimes.
UK Home Office
Identity Fraud
Steering Committee
(available at:
http://www.identityth
eft.org.uk/identitycrimedefinitions.asp)
This is a generic term for identity
theft, creating a false identity or
committing identity fraud.
This occurs when sufficient information about
an identity is obtained to facilitate identity
fraud, irrespective of whether, in the case of an
individual, the victim is alive or dead. Identity
theft can result in fraud affecting consumers'
personal financial circumstances as well as
costing the government and financial services
millions of pounds a year.
Identity theft is also known as impersonation
fraud. It is the misappropriation of the identity
(eg, name, date of birth, current or previous
addresses) of another person without their
knowledge or consent.
UK Cabinet
(c) Identity fraud
(d) Other
This occurs when a false identity or
someone else’s identity details are used to
support unlawful activity, or when someone
avoids obligation/liability by falsely claiming
that he/she was the victim of identity fraud.
False Identity: This is a) a fictitious (ie,
invented) identity, or b) an existing (ie,
genuine) identity that has been altered to
create a fictitious identity.
Identity fraud involves the use of an
individual or a company’s identity information
to open accounts, fraudulently obtain social
security benefits, (in the case of individuals),
apply for credit and/or obtain goods and
services.
Identity fraud can be described as the use of
that stolen identity in criminal activity to
obtain goods or services by deception.
Stealing an individual’s identity does not, on
its own, constitute identity fraud and this is
an important distinction.
ID fraud arises when someone takes over a
totally fictitious name or adopts the name of
Office (2002)
10
RAND Europe & time-lex
Chapter 2 Overall concepts
another person with or without their consent.
UK’s Fraud
Prevention Center
(CIFAS)
(available at:
http://www.cifas.org.
uk/default.asp?edit_
id=566-56)
Mitchinson et al.
(2004) (JRC of the
European
Commission)
Identity theft (also known as impersonation
fraud) is the misappropriation of the identity
(such as the name, date of birth, current
address or previous addresses) of another
person, without their knowledge or consent.
These identity details are then used to obtain
goods and services in that person's name.
Identity fraud is the use of a misappropriated
identity in criminal activity, to obtain goods or
services by deception. This usually involves
the use of stolen or forged identity
documents such as a passport or driving
licence.
The term “identity theft” is widely used in the
United States, and not so widely in Europe.
The paradigm case of identity theft seems to
be:
• a rogue finds out some facts about, or
acquires some documents belonging to, the
‘victim’
• he then uses these facts or documents to
contact various organisations pretending to be
the victim
• under these pretences, he either acquires
control of the assets of the victim, or carries
out acts with negative legal or financial
consequences, which he misdirects to the
victim.
Dutch Ministry of
Justice, ‘Hoofdlijnen
kabinetsbeleid
fraudebestrijding
2003-2007’, 24
June 2003
Perl (2003)
Identity fraud concerns forms of misuse or
fraud with respect to identity and identity
data, with which a person or a group of
persons intends to unlawfully claim
government services, or to otherwise
unlawfully benefit himself.
Identity theft is ‘the theft of identity information
such as a name, date of birth, Social Security
Number,E credit card number,’ (Hoar 2001) or
any other personal identification information in
order to obtain ‘loans in the victim's name,
steal money from the victim's bank accounts,
illegally secure professional licenses, drivers
11
Criminal record identity theft occurs when
the identity thief obtains a victim’s personal
information and then commits crimes,
traffic violations, or other illegal activities
while acting as the victim. Instead of
providing law enforcement with her own
personal information, the identity thief
RAND Europe & time-lex
Chapter 2 Overall concepts
licenses, and birth certificates,’(Sabol 1999) or
other unauthorized use of the victim's personal
information for financial or other activity.
Koops & Leenes
(2006)
Grijpink (2003)
(followed also in
FIDIS (2006))
Identity-related crime concerns all
punishable activities that have
identity as a target or a principal tool.
Identity theft is fraud or another unlawful
activity where the identity of an existing person
is used as a target or principal tool without that
person’s consent.
Someone with malicious intent consciously
creates the semblance of an identity that does
not belong to him, using the identity of
someone else or of a non-existent person.
12
provides the victim’s personal information
in order for the identity thief to avoid
criminal convictions and legal sanctions in
her own name
Identity fraud is fraud committed with identity
as a target or principal tool. (Fraud:
‘procuring, without right, an economic benefit
for oneself of for another person.’)
RAND Europe & time-lex
2.3
Chapter2: Overall concepts
Conclusions
Given the choice of possible definitions it might be perhaps better to decide on the
relevant features that any such (working) definition should provide for. An example list of
characteristics of identity theft is provided by the FIDIS report.37 We propose to apply this
conceptual framework in the present report as well, as the FIDIS definition appears to be
comprehensive and sufficiently well structured to cover, from a pragmatic perspective, all
the different sorts of misuse envisaged. Furthermore, the FIDIS definition was arrived at
after a long consensus building process amongst a coherent (albeit small) community of
academics.
The FIDIS description states that identity theft must exhibit the characteristics of:
malicious intent; conscious action; creation of a semblance; use of a third party or ‘other’
identity not belonging to the perpetrator; use not merely possession of the acquired
identity; and finally that identity theft can involve existing and non-existing identities.
Nonetheless, the use of working definitions at the operational level represents a level of
cooperation generally not present in the legal domain. Indeed, it may well be the case that
addressing the policy challenges associated with identify theft and identity-related crime are
best undertaken using a pragmatic approach.
Against the abundance of definitions and the blurry lines that separate each definition,
identifying those used in different jurisdictions is essential to establish useful international
cooperation.
37
FIDIS (2006)
13
CHAPTER 3
A typology of identity-related crime
In this chapter we build upon the understanding of identity and identity-related crime
(including pure theft but also the onward use of stolen or fabricated identities to commit
other crimes) described in Chapter 2 to elaborate on the different technical approaches,
whether they be offline or online.
Following their analysis of the different potential relationships between identity theft and
identity fraud, Sproule & Archer settle for a definition of identity-related crime where
identity theft constitutes the initial activity which may be subsequently followed up by
identity fraud.38 This approach is also generally supported by the conclusions of the ISPAC
2007 conference, which indicated that such a ‘catch all’ concept was a valid way to capture
the full range of identity-related crime.39 In this model, activities to develop a false identity,
like document breeding, counterfeiting or ID trafficking, can occur as intermediate steps
before committing the crime that the identity theft is aimed to enable (see Figure 2). In
this framework, ID theft plays a role as a preparatory activity for the commission of other
crimes.
Figure 2 Identity theft and identity fraud framework40
38
Sproule & Archer (2007)
39
Chryssikos et al. (2008)
40
Sproule & Archer (2007)
14
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
The abuse of identity-related information represents a complex public policy challenge
since it affects both the public and private sectors. It has a range of implications both
socially, psychologically and economically. Companies and individuals may be damaged
economically by crimes committed through the use or compromise of identity-related
information and society at large may be harmed – through, for example, additional costs
put in place by those in the public and private sector who rely upon identity information
but who must also cover and pass on the costs of risks and misuse to others.
This situation is made more complex where a credential designed for one purpose is used
for another. For example, in the United States the Social Security Number is used for a
variety of public and private identification requirements; in the UK, in the current absence
of a national identity card, the driving licence and passport have become the de facto form
of identification in public, but crucially also in private scenarios (eg, for the purchase of
age-restricted items such as alcohol). Technology, such as the biometric-enabled smart card
is further blurring these boundaries.41 And as was noted at the 2007 ISPAC conference,
‘...crimes against any form of identification can affect both [public and private] areas.’42
An additional issue to take into account regards the reality of the identity to be protected
against ID theft. Should only the identity of real persons be protected against abuses or are
fictitious identities equally deserving of such protection?
In the literature it has been said that ‘identity fraud comprises both the use of a real
person’s identity (identity theft) as well as that of a fictitious identity’43; furthermore it has
been pointed out that identity fraud is broader than identity theft in that identity fraud
refers to the fraudulent use of any identity, real or fictitious, while identity theft is ‘limited
to the theft of a real person’s identity.’44 This approach of the literature has been followed
by the French lawmaker (see below).
These positions pose the risk that the sphere of protection of identities becomes too
vaguely defined and potentially unlimited. Should, for example, the creation of an avatar
or persona for specific online contexts be considered unlawful? In examining this question,
the societal value and benefit of pseudonyms should also be appreciated; for example, the
use of a fictitious name might allow knowledgeable individuals the freedom to participate
in online debates, to a much greater extent than if they would be required to use their own
identities.
Furthermore, there exist other legal measures to protect existing fictitious identities against
abuses, such as copyright when the identity (or in this context, the character or persona) is
the product of the creativity of its author. Of course a case-by-case approach is necessary in
order to assess the legal or illegal nature of the behaviour of the ID thief: using a
completely fictitious identity to spout critical opinions is entirely different from using
41
For example, see the Biometric European Stakeholder Network (BEST) Deliverable 4.1: State of Art of
Biometrics in eID Systems. As of 25 January 2011: http://www.best-neu.eu/documents/deliverables.92.html
42
Chryssikos et al. (2008)
43
Lacey & Cuganesan (2004)
44
Gordon et al. (2004)
15
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
another person’s name to dishonestly create a semblance of credibility, or inversely to harm
that person’s reputation by presenting opinions which are contrary to his real positions.
Options for classification and categorisation
3.1
There are various dimensions through which one can categorise identity-related crime.
These include:
•
•
•
•
•
Whether the activity is IT-enabled or not
Which mechanisms are used to obtain or fabricate identity information
What kinds of identity information are targeted
What kinds of entities are targeted (individuals, corporations, government
agencies, religious or ethnic groups, etc.)
To what criminal purposes identity information is used (financial gain, criminal
aliasing (ie, causing the wrong person to be arrested for a crime), defamation or
character assassination, crimes against persons, infiltration of organisations for
espionage, sabotage, terrorism, drug smuggling, money laundering, illegal
immigration, etc.).
Identity crimes may be crimes in themselves where the identity is the aim and target of
offenders. Identity offences may be mere instruments for other crimes, in the way money
laundering is a result of other predicate offences. The latter may be the largest category,
since identity abuse could be instrumental in the perpetration of tax evasion and fraud,
terrorist financing, capital flight, bribery and corruption, etc. Identity crimes are thus
facilitative or enabling. A final and even more difficult to identify category has been
proposed: a form of identity misconduct characterised as a response to state actions.45 This
is where targets or suspects may engage in identity-related misconduct for self-protection
or in order to avoid legal or economic sanctions and penalties (for example, appearing on
terrorist watch lists).
A final approach might be via consideration of who is affected (a stakeholder-centric view).
Possible victims could be the identity of the physical person, or the identity of the legal
person or organisation, the identity of the government agency or body. There are also two
other classes of stakeholder affected, both of whom are important but whose impact cannot
be easily determined. One is the financial service providers and credit card companies in
whose instruments consumers and other organisations place their trust. The other is
broader society itself – as identity misuse becomes more and more endemic, trust in the
various public and private systems becomes eroded, resulting in a chilling effect in, for
example, willingness to engage in e-commerce or place trust in governments. However,
measuring this sort of embedded impact is complex to say the least. Assessing who are the
stakeholders concerned and affected by the identity misconduct is relevant in order to
determine who is entitled to compensation in a civil action; from the perspective of
criminalisation, the issue is less relevant.
45
Chryssikos et al. (2008), p.99
16
RAND Europe & time-lex
3.2
Chapter 3 A typology of identity-related crime
Identity-related crime for direct economic gain
Perhaps the most compelling driver for this form of criminal activity is for direct economic
benefit. A 2007 study for the Centre for Identity Management and Information Protection
(CIMIP) provided an analysis of 517 cases of identity theft from the perspective of the
offender, which demonstrated the extent to which economic motivation drove identity
theft.46 This report presents evidence that out of the 517 cases studied, the motivations
linked to economic gain were by far and away the most popular driving factor for
undertaking this type of crime. Table 1, below, summarises how these rationales break
down out of the total number of cases studied.
Table 5 Motive for use of stolen identity documents
Motive for use of stolen identity %
documents
3.3
Obtain and use credit
45.3
Procure cash
33
Conceal actual identity
22.7
Apply for loan to buy vehicle
20.9
Manufacture and sell fraudulent IDs
7.7
Obtain cellphones and services
4.6
Gain government benefits
3.8
Procure drugs
2.2
Relationship to other major forms of criminal activity
The peculiar characteristic of identity theft as a preparatory activity as well as a form of
potential criminal activity in itself is complex and leads to other policy complexities.
Identity-related crimes thus have a distinct and separate relationship to other criminal
activities including fraud, organised crime, cybercrime, money laundering and terrorism.
Identity theft has been specifically linked to four other complex forms of crime: organised
crime, terrorism, fraud, corruption and money laundering. The distinction of these four
types of crime is mostly relevant when examining ID theft from a criminologist point of
view, since from the strict legal perspective they can intermix: fraud, for example, can
equally be committed in the framework of terrorist or criminal activities. By way of a
practical example, if a person steals a credit card owner’s information in order to obtain
resources for terrorist purposes, a criminologist might well argue that the fraud falls within
the framework of terrorism (since the goal of the fraud is to finance terrorist activities), but
legally speaking this person may be prosecuted for fraud (and for terrorism as well).
46
CIMIP (2007)
17
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
In relation to organised crime, which has an extensive transnational character, identityrelated crime might only be possible among those groups with the resources and expertise
associated with organised crime. Organised criminal gangs might undertake identityrelated crimes in order to protect members from surveillance and carry out international
travel. Some countries have reported that this has led to a high degree of specialisation in
the market for identity as an illicit commodity: with the exploitation of weaknesses in
issuance systems or the production of forged documents to sell onto others for other
criminal uses. In this way organised criminal gangs might be said to be growing the black
market for illicit identity information.
Terrorists might choose to engage in the misuse of identity-related information in order to
travel and hide their activities from the authorities. Some of the characteristics of the use of
illicit identity information by terrorists and organised criminal groups are closely linked.
Terrorist groups may acquire or purchase illicit identities from other criminal groups and
may use identity-related crime to fund their operations.
The relationship between identity-related crime and fraud is also complex, but pivotal
from a legal perspective, due to the fact that a qualification of fraud will be applicable to a
large number of ID-related crimes. A substantial amount of identity-related crime is
connected to fraud since identity-related crime can be a means of avoiding fraud
prevention measures and criminal liability and as a means of deception central to the fraud
offence itself. The impersonation of officials of banks and telecommunications providers is
a common element of many types of fraud. Other crimes such as credit card fraud may be
considered identity fraud because the offender is using a copied or stolen card as a form of
identification (impersonating the legitimate card holder).
Money laundering crimes also depend on abuses of identity information to avoid or
obfuscate measures to counter the activity. There is also an increasing aspect of
information technology to these forms of criminal behaviour. ICTs enable money
launderers to generate false identification information and thus engage in false transfers
that can conceal laundered assets. The effectiveness of money laundering countermeasures
are also complicated by ICTs, which bring the opportunities and opaqueness of offshore
banking within reach of more and more offenders.
Finally, identity-related crime may also be used as a means of avoiding detection or
criminal liability in respect to corruption. Looking at the link between these two forms of
criminality from the other way around, corruption is often a supporting activity for
identity-related crime: corrupt officials in passport offices or working for credit card issuers
may be actively or passively subverted in order to provide blanks or genuine documents.
This has become ever more important for criminals as more anti-forgery mechanisms are
put in place on passports or other similar documents. Identity-related information in
databases may also be altered or modified by suborned individuals.
3.4
The means to perpetrate identity-related misuse
A bulk of identity crimes are still committed offline and supported by very simple
traditional methods such as ‘dumpster diving’ (going through rubbish bins to find personal
18
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
data), stealing mail, credentials or credit cards, ‘shoulder surfing’ (looking over someone’s
shoulder to observe PIN entry, etc.), and social engineering.
Sproule & Archer list the following activities as potentially subsumed under identity
theft47:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Hacking
Phishing and pharming
Corrupt employees involved in transactions or with access to data
Theft of documents (wallet or purse, credit cards, etc.)
Theft of data storage devices
Posing as a landlord or employer to get a victim’s credit report
Spyware
Wireless intercept
Phone and email scams
Document breeding
Trafficking in personal information
Mail interception
Mail theft
Forgery
Counterfeiting
Insider access
Search for public records
Dumpster diving
Skimming.
FIDIS lists different ways of manipulating authentication procedures, the first few (1–4) of
which focus on the link between the person and the identification data. The subsequent
three (5–7) focus directly on the reference data, and the remaining (8–10) deal with attacks
on the middleman48:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Worms (eg, installing a key logger)
Social engineering
Trojan Horses, key loggers, etc., sent via email attachment
Spoofing of sensors
Readout of person-related identifiers, authorization and reference data
Manipulation of reference data concerning a person
Phishing
Identity theft by readout of automatic data not securely communicated by the user
Replay attacks
Identity theft by redirecting communications to a manipulated web site.
47
Sproule & Archer (2007)
48
FIDIS (2006)
19
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
The OECD distinguishes between traditional and online ways to gain access to identity
information. Traditional ways to access personal data for ID theft are described in Box 1,
while the online methods for stealing personal information are described in Box 2.49
This list does not take into account the whole set of (initially) lawful ways in which one
could gain knowledge of information later on used for an identity-related crime. These
might be searching public records, finding a lost object like a wallet that contains
identifying information, or having been given the information by the later victim of the
identity-related crime for a different purpose.
Box 1 Traditional ways to access personal data for ID theft50
49
OECD (2008)
50
OECD (2008)
20
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
Box 2 Online methods for stealing personal information51
Furthermore the OECD groups phishing into three different subgroups52:
Box 3 Grouping of phishing techniques
Pharming: this method, which uses the same kind of spoofed identifiers as in a classic phishing attack, redirects
users from an authentic website (eg, a bank website) to a fraudulent site that replicates the original. When the
customer connects its computer to its bank web server, a hostname lookup is performed to translate the bank’s
domain name (eg, ‘bank.com’) into an IP address. During that process, the IP address will be changed
SmiShing: cellphone users receive text messages (‘SMS’) where a company confirms their signing up for one of its
dating services, for example, and that they will be charged a certain amount per day unless they cancel their order
at the company’s website. The website is in fact compromised and used to steal personal information
Vishing: in a classic spoofed email, appearing from legitimate businesses or institutions, the phisher invites the
recipient to call a telephone number. When calling, the target reaches an automated attendant, requesting personal
data such as account number, or password for pretended ‘security verification’ purposes. Victims usually feel safer
in this way as they are not required to go to a website to transmit their personal information
Box 4, below, lists the common ways to obtain a false identity, as described by a discussion
paper on identity theft by the European Union’s Joint Research53:
51
OECD (2008)
52
OECD (2008)
53
Mitchison et al. (2004)
21
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
Box 4 Methods to obtain a false identity
He steals wallets and purses containing identification information for the victim, along with credit and
bank cards
He steals details of the victim from a computer (that belonging to the victim, or to a vendor or supplier),
with whom transactions have been carried out
He steals the victim’s mail, including bank and credit card statements, pre-approved credit offers, new
chequebooks and tax information
He completes a ‘change of address form’ to divert the victim’s mail to a location under the rogue’s
control
He finds personal information in the victim’s home – for example, during a burglary
He rummages through the waste-paper baskets at the victim’s home, garage, ATM machine or bank
He hacks into e-commerce, bank or business computer servers for client information and details
He fraudulently obtains the victim’s credit report by posing as a landlord, employer or potential
employer
He uses personal information the victim has made available on web pages or in chat rooms
He contacts the victim, often through email, by posing as legitimate companies or government
agencies with which he does business, or as companies from which he has won a prize
He gets information by stealing files – physically or electronically – from offices where the victim is a
customer, student, employee or patient
He bribes or corrupts an employee who has legitimate access to the victim’s files
He places a person in an organization to work for him, for example, in a bank, post office, billing
company or credit company
He acquires the information by trading with other rogues
The UK Home Office report ‘The Future of Netcrime Now’ also cited the threat of
identity theft against eGovernment services and other types of identity theft and related
crime specific to the online environment, as shown in Box 5 below54:
Box 5 Types of identity theft and related crimes
Unauthorized copying of credit card information, obtained via various means (system penetration, data
tap using wireless networks or a pass-through site)
Corruption of legitimate websites by modifying pages or DNS redirection, fooling users to enter credit
card details on a fake webpage
Unauthorized copying of personal information and credit card details by a covertly installed key logger
application at third party terminals (eg, cybercafe, library, college), to achieve online authentication and
purchase of goods/services
Identification systems (eg, smart cards): illegally produced and false documentation used
Fraud against online government services (VAT, Income Tax, Tax Credits, DTI licensing) via various
techniques (hijacking corporate or individual identities)
General fraud (false document production): online data mining (chat rooms, newsgroups, databases,
questionable credit reference agencies) to produce false documentation (passports, 'smart' ID cards,
medical records)
E-commerce fraud (database hacking): unauthorized system access to government and corporate
databases, enabling theft of personal information (targeting of individuals of high net worth or specific
employees)
E-commerce: online data mining (chat rooms, newsgroups, databases, questionable credit reference
agencies)
Domestic device account access: the accessing of domestic digital devices (eg, set top boxes) through
various means to access and copy personal account information
The EU Fraud Prevention Expert Group’s ‘Report on Identity Theft/Fraud’55 which
focuses on the misuse of personal data to abuse banking/financial services, lists the
following ways criminals gain access to information in the real world: 1) dumpster diving
and bin raiding; 2) mail theft; 3) insider sources; 4) imposters; 5) theft; and 6) purse/wallet
theft. For the online branch of identity theft they point out the weaknesses along the chain
of involved stakeholders:
54
Morris (2004), p.14
55
Fraud Prevention Expert Group (FPEG) (2007)
22
RAND Europe & time-lex
Chapter 3 A typology of identity-related crime
Table 6 Chain of weaknesses grouped by stakeholders involved56
The Liberty Alliance Project, a global consortium of open federated identity standards and
identity web-based services, with more than 150 stakeholders from areas such as the
banking sector, telecommunication providers and government agencies, has grouped the
types of attacks to obtain individual or multiple identities as shown in Table 7 and Table 8
respectively.57
Table 7 Types of attacks to obtain individual identity data
Type
Attack
Description
Technical
Trojan/keystroke
logger
Spyware/Malware placed via hacking, as payload in a virus or worm,
or from websites
Wireless
interception
Wardriving, open access points, airsnarfing. ‘Evil Twin’ attack
Pharming
DNS spoofing, DNS cache poisoning, proxy attacks
Scrape website
Gather personal data from websites, web searches to use as verifiers
Sniffing
Collect targeted network packets
Theft
Stolen laptops, purses/wallets, mail
Shoulder surfing
Direct observation of personal information
Dumpster diving
Gather discarded documents, hardware (disks)
Trusted insider
Identity information misused by individuals with access
Phishing
Luring individuals to reveal confidential data
Physical
Social
56
Fraud Prevention Expert Group (FPEG) (2007)
57
Liberty Alliance Project (2005)
23
RAND Europe & time-lex
engineering
Chapter 3 A typology of identity-related crime
Family members
Identity data misused by family members
Legal sources of
identity
Obtain identity data from credit bureaus, government agencies
fraudulently
419 scams
Obtain money and/or account information
Trusted insiders
Gain identity information from service providers (doctors, dentists,
lawyers, etc.)
Table 8 Types of attacks to obtain data for multiple identities
Type
Attack
Description
Technical
Hacking
Gain privileged access to machines for further attacks and/or data
harvesting
Data attacks
SQL Injection, XSS
Database attacks
Login attacks, inference attacks, SQL scanners
Password
cracking
Acquire admin password to servers
Theft or loss
Backup data, tapes, disks, laptops, etc
Breach firewall(s)
Connect to internal network(s)
Dumpster diving
Obtain discarded documents, disks, systems, etc.
Gain access
To computer rooms, wiring closets, switches, routers
Trusted insider
DBAs, employees, contractors, individuals w/access
Phone requests
Gain confidential information to facilitate hacking
Physical
Social
engineering
As can be seen, there are varying identifications and interpretations of and identification of
the different types of ways in which identities might be misused. As is obvious from the
tables above, these myriad methods of committing identity theft or identity-related fraud
may be combined in any one criminal activity, presenting a wide range of legal and
criminal justice challenges.
24
CHAPTER 4
The consequences of identity-related
crime
In this chapter we discuss the consequences of identity-related crime including direct
consequences for the individual and different types of stakeholder (eg, businesses and
governments). Also, we briefly describe the importance of understanding longer-term
indirect consequences, including the loss of trust which may occur as a result of the abuse
of identity infrastructures, and the increased costs which may be passed onto consumers
and citizens as a result of public and private sector organisations having to invest more in
security, identity and authentication infrastructures.
Different stakeholders are concerned about different aspects and impacts of identity crimes
(for example, industry might be concerned about a potential reduction of trust and
confidence in e-commerce and the limitation that this puts on potential revenues; banks
might be concerned about criminals defaulting on credit obtained under a fictitious
identity). Measuring the problem is difficult for several reasons, including the lack of a
consistent definition and therefore of comparable data, the fact that victims often do not
find out immediately about identity crime, and that the consequences of identity crime are
also hard to quantify. Globally comparable and comprehensive statistics on identity theft
are not available but some countries like the UK, USA, Canada and Australia provide some
insights into the prevalence and costs of identity theft.
The impacts of identity-related crime may be split into those that are either direct or
indirect. Direct impacts at the individual level include costs to victims, either where false
identities are used to commit crimes such as fraud or in a more complex fashion, where, for
example, the victim is falsely imprisoned by the use of his identity information in the
perpetration of another form of crime (eg, terrorism) and is thus deprived of other socioeconomic opportunities. Indirect impacts are much harder to quantify and may include
the preventative measures that governments and the private sector need to take to manage
the risks of this type of fraud (which get passed back to the citizen or consumer either
through more inefficiencies in the public sector or potentially higher prices for goods and
services in the private sector). Other indirect impacts include those associated with the
displacement of criminal activity away from those physical documents which have very
sophisticated functions and anti-fraud measures toward more vulnerable targets. Finally
there may be other more difficult to ascribe indirect impacts: for example the economic or
human costs from terrorist attacks facilitated by identity fraud, or the loss of trust and
confidence in those identity infrastructures which have been abused by criminals.
25
RAND Europe & time-lex
Chapter 4 The consequences of identity-related crime
There are also more subtle implications for democratic participation, such as the reduction
in trust and confidence in e-government and consequently the risk of decreasing
participation in the usage of such tools.
4.1
The economic costs of identity theft and identity fraud
In terms of the consequences of identity-related crimes, estimates vary but there is most
data for the US, Canada, Australia and the UK. One estimate from the US indicates that
identity theft damage for 2009 was US$48 billion.58
A 2007 McAfee White Paper on Identity Theft (2007) estimates the cost of identity theft
to the Australian economy ranging annually between US$1 billion (according to the
Securities Industry Research Center of Asia-Pacific) and US$3 billion (according to the
Commonwealth Attorney-General’s Department).59 Their Australian Bureau of Statistics
(ABS) reported that 124,000 persons in Australia became victims of identity fraud in the
12-month period preceding the ABS survey on personal fraud conducted in 2007.60
CIFAS, the UK’s Fraud Prevention Service, found recently that for ‘identity fraud (the use
of a stolen or false identity to obtain goods or services by deception) […] increase has
continued; up 32 percent in 2009 from the level recorded in 2008.’ CIFAS links this
increase to the recession. Furthermore the numbers show that more than 85,000 people
have been victims of impersonation, and a total of 102,000 people have been victims of
identity fraud (see Table 9). This equals an increases of 35 percent, and 32 percent
respectively compared to the 2008 numbers.61
Table 9 CIFAS identity-related fraud statistics for 2008 and 2009
Fraud type
Jan to Dec 2008
Jan to Dec 2009
% Change
Identity fraud – granted
34,011
57,383
+68.72
Identity fraud – not granted
43,631
44,944
+3.01
Identity fraud – total
77,642
102,327
+31.79
Victims of Impersonation
62,957
85,402
+35.65
Identity fraud cases include cases of false identity and identity theft
The latest official estimate of the costs of identity fraud to the UK economy (covering the
period 1 April 2006 – 31 March 2007) adds up to £1.2 billion (around £25 for every adult
in Britain). The methodology was developed by the Identity Fraud Steering Committee
and economists from the Home Office. Different to earlier studies, this methodology takes
into account both the financial loss to organizations and costs incurred for the adoption of
58
Javelin (2009)
59
Cited in OECD (2009) p.37
60
61
Australian Bureau of Statistics (2008)
CIFAS (2010)
26
RAND Europe & time-lex
Chapter 4 The consequences of identity-related crime
systems to identify, prevent, deter and prosecute cases of identity fraud. For a breakdown
of the costs see Table 10, below:
Table 10 Estimated cost of identity fraud in the UK from 1 April 2006 to 31 March 200762
Organisation / Industry /
Sector
Cost of identity fraud
APACS - the UK
payments association
£201.2m
Association of British
Insurers
£31m
Audit Commission
British Cheque Cashers
Association
£0.4m
£36m
Notes
Figures include the actual losses associated with Card ID theft, namely account takeover and third party
application fraud. It also includes an estimate of the costs associated with the prevention, detection and
investigation of identity related crime as specified in the methodology adopted by the Home Office for this
exercise. As the banks’ fraud prevention and detection systems, the investigation processes and the
supporting resource do not solely focus in isolation on identity fraud related crime, these figures can only be
regarded as indicative.NOTE: There is potential for overlap with figures reported by CIFAS. APACS and
CIFAS have liaised to guard against double counting.
The cost of internal fraud through re-opening closed claims, dormant accounts and paying claims for personal
gain. Also includes account takeover of life policies and cashing joint life policies (estranged spouses).
Represents losses from public sector occupational pension schemes due to, for example, next of kin
continuing to claim pension payments following the death of a relative.
Estimated direct financial loss and cost of prevention, detection, reporting in relation to cashing of cheques by
someone other than the payee.
CIFAS - The UK's Fraud
Prevention Service
£23.5m
Criminal Justice System
Driver and Vehicle
Licensing Agency
£50m
CIFAS member organisations share information about identified frauds (e.g. application fraud, first party and
identity fraud) in the fight to prevent further fraud. Figures relate to costs associated with preventing fraud and
actual losses through identity fraud. Typical losses reported by CIFAS members include purchases using
credit cards obtained by using false identities and the value of an asset (e.g. a vehicle) purchased from a
dealer using finance in a false or stolen identity. NOTE: There is potential for overlap with figures reported by
APACS. CIFAS and APACS have liaised to guard against double counting.
Criminal Justice System costs are an estimate of the total police investigation, prosecution, court and
disposal costs for cases of identity fraud.
£5.3m
Cost of detecting and investigating applications for driving licences using false identities.
Department for
Innovation, Universities
and Skills (Student
Loans)
£8.4m
Costs relate to setting up systems to investigate fraudulent claims and early estimate of identified losses from
student loans obtained using false identities.
Driving Standards Agency
£1.7m
Cost of detecting and investigating identity fraud in the driving test process.
Home Office
Customs
£284.4m
£47.2m
Home Office costs relate to the work of its agencies in safeguarding and validating the identities of its
customers, as well as costs around deterrence, prevention and investigation of identity fraud.The majority of
the costs (£227.8m) relate to the operating costs for Identity and Passport Service in carrying out identity
checks, investigating suspected identity fraud cases, implementing systems and processes to detect and
prevent fraudulent applications of passports, including costs relating to the introduction of face to face
interviews for all adult first time applicants for a UK passport. Other costs relate to the work of the Border and
Immigration Agency (now UK Border Agency) around operating a dedicated National Document Fraud Unit,
deterrence, prevention and investigation of illegal working. Costs have also been included for UK Visas work
on prevention of identity fraud.
Cost of prevention, detection, investigation and direct financial loss due to ID tax credit fraud.
Ministry of Justice
Telecommunications UK
Fraud Forum
£35.8m
4.2
£485m
Cost relates to unpaid fines due to no trace of identity or address. This can be due to a number of reasons
such as false or innacurate information being provided and offenders not attending court to verify their details.
Estimated cost of obtaining goods and services such as mobile phones, premium rate services, long distance
telephone calls through fraudulent applications using false identity details.
Personal impact
A report by Javelin estimated that the amount of time it takes for an identity theft victim
to rectify problems stemming from identity-related crime ranges from 30 to 40 hours per
person. In 2003 the US Federal Trade Commission estimated that the average costs to the
individual were US$4,800. The US Department of Justice in 2005 reported that its
analysis of the average loss per household was US$1,620. Interestingly, in 2009 Javelin
indicated that the mean loss per individual (in the US) was $500, which may be indicative
of the success of efforts in the US to address the problem.63
As with the overall impacts of this form of criminality, there may be direct and indirect
impacts for the individual. The Australasian Centre for Policing Research, in its review of
62
Source: www.identitytheft.org.uk
63
Javelin (2009)
27
RAND Europe & time-lex
Chapter 4 The consequences of identity-related crime
the legal status and rights of victims of identity theft in Australasia, indicated that the
following three types of impact exist64:
•
•
•
64
Direct financial impacts: loss of savings, cost of reporting and preventing the
continued used of the identity and the cost of restoring reputation (eg,
communications to financial institutions, credit scoring agencies and so on)
Indirect financial impacts: damage to credit rating, damage to personal and
business reputation and the creation of a criminal record associated with the
fraudulent use of identity
Psychological impacts: determined by how the stolen identity is used. Depending
on the severity of the resultant crime, these may range from stress or trauma
caused by or to one or more family members in respect of the use of that person’s
identity to the impact of knowledge of the use of that identity for the resultant
crime (eg, fraud, people smuggling, terrorism, etc.).
Cited in Chryssikos et al. (2008), p.181
28
CHAPTER 5
Responses and mitigation:
criminalisation and identity assurance
In this chapter we present an overview of approaches for mitigation of the types of identity
theft and misuse presented earlier. These approaches may be broadly categorised into either
criminalisation (whereby new or existing legal and non-legal approaches are used to address
the problem) or what might be termed ‘identity assurance’65 which is concerned with
strengthening identity and authentication infrastructures in order to lessen their
vulnerability.
Although a small number of states such as France, the United States, Australia and Canada
have enacted specific fraud or identity theft legislation, most domestic laws and policies
focus upon addressing identity-related crimes through the prism of the types of further
criminal activities that may be committed through abuse of identity.
There are challenges to effectively dealing with identity-related crime, however. A report by
the Council of Europe argues that a number of factors serve to complicate the fight against
identity theft66:
•
•
•
Vulnerabilities in the identity infrastructure, most notably where a unique
identifier (eg, a registration number) has been developed for one specific purpose
and is subsequently used for another, broader purpose without corresponding
improvements in the supporting infrastructure
The availability and ubiquity of identity-related information (especially in digital
form and/or made available online). This includes broadly available personal
information on social networking sites but also the increasingly popular use of
digital identity information and its linking by the public and private sectors (an
example of which is behavioural advertising: where disparate snippets of identityrelated data are linked, combined and interrogated to build up a picture of an
individual)
Missing identity verification procedures – the complexity of transferring identity
verification procedures to a digitised world has meant that they are often poor or
absent, again presenting challenges for addressing identity-related crime
65
IAAC (2009)
66
Gercke (2007)
29
RAND Europe & time-lex
•
Chapter 5: Responses and mitigation: criminalisation and identity assurance
Investigative difficulties – there are a number of challenges reflecting investigative
difficulties including the number of victims, the availability of easy tools to
perpetrate offences, the international and cross-border dimension, and finally the
opportunities that automation presents (eg, in the link between spamming, botnets, phishing emails and unsecured home networks).
How to approach criminalisation?
5.1
The 2007 UN ISPAC conference suggested the following rights and interests which may
need to be protected by criminal law ought to be taken into account when considering the
utility of offences and other criminal justice measures as avenues to address identity theft
and identity-related fraud67:
•
•
•
•
•
•
•
•
5.2
The interests of the individuals whose identity is taken, copied, altered or misused
The extent to which relevant rights exist and are affected by the abuses, including
privacy rights, intellectual property rights (eg, corporate identity) and the right to
have an identity
The needs to protect the integrity of the various models of the identity
infrastructure, including national identity systems, subject specific identity systems
(eg, passport systems) and relevant private sector identity systems
Within the scope of each identity infrastructure, what specific document and
information should be protected
Whether the criminalisation of specific abuses per se is necessary or justified to
prevent or suppress secondary crimes such as fraud, money laundering, terrorism,
or the smuggling of migrants or trafficking of persons
Whether criminalisation is needed or justified on national security grounds
Which specific forms of conduct should be criminalised and how offence
provisions should be framed (eg, in respect of conduct such as acquiring, taking or
copying, falsifying, possessing, transferring or trafficking in identity information
or documents or the subsequent illicit use of identity documents or information in
other offences)
At a general level, how the scope of identity offences would fit within the existing
criminal law of each state, bearing in mind the need to avoid gaps.
Prevention
Whilst criminalisation is clearly one approach to addressing the problem (in so far as it can
act as a deterrent and can remove the perpetrators from society) ex post, there is an
argument that prevention is more cost effective and ultimately a more useful avenue to
address this form of misuse. This was highlighted by McNulty, who noted that in
addressing the complex challenge of identity theft and fraud, prevention is better than
cure.68
67
Chryssikos et al. (2008)
68
Chryssikos et al. (2008), p.93
30
RAND Europe & time-lex
Chapter 5: Responses and mitigation: criminalisation and identity assurance
Two different forms of prevention were cited in the response to the UN ISPAC conference
as key areas to be addressed. These were strategic and situational (or operational)
prevention. Strategic prevention referred to the need to develop and implement
infrastructures that are resistant to crime; situational prevention referred to the rapid
identification of ongoing schemes or activity in order to generate criminal investigations
and countermeasures to mitigate or reduce the damage.
Examples of strategic prevention include technical measures against the forgery and
counterfeiting of physical identity documents, the use of photographs (and increasingly
digitised identity information such as electronic biometric data), review of the limits of
validity of documents, and measures to protect the validity of the process of creating
identity and issuing documents. The verification process also needs to be protected in
respect of the uses of identity documentation and its links to the identity infrastructure.
Clearly protections such as biometrics and multiple factor authentication may help support
the protection of the verification process.
One of the prime situational or operational preventative measures is training and awareness
for individuals in how to respond when this kind of abuse is detected. Other examples of
situational prevention may be found in the Information Management Strategy of the EU’s
Stockholm Programme, which seeks to set out a framework and associated systems for
sharing of information to support police and judicial cooperation across Europe (for
example, in respect of a European Information Exchange Model, improving information
flow between the Member States and Europol and establishing improvements to
operational police cooperation).
5.3
Relevant supranational legislative norms
There are a handful of international legal instruments or norms which may also be effective
and relevant, serving as regional or global frameworks through which public and private
stakeholders may coordinate their efforts to combat ID theft. At the European level these
include the EU Data Protection Directive 95/46/EC, which contains legal requirements to
protect against the unlawful use of personal data, including the possibility of initiating
appropriate legal actions in case of violations of its rules. Other relevant EU-wide legal
frameworks (such as the recently passed revisions to the Telecommunications Privacy
Directive 2002/58) may also be of indirect relevance. The provisions regarding the
notification of breaches to data subjects, for example, may allow them to see if they are at
increased risk of being a victim of identity theft. The 2005 Council Framework Decision
on Attacks Against Information Systems also represents a relevant instrument with which
to address this form of criminality, as it defines a number of ICT-related crimes that may
also apply to specific instances of ID theft. This Framework Decision follows the example
of the similar Council of Europe Cybercrime Convention. This convention is the only
international legally binding instrument which provides a set of guidelines or framework
for countries intending to develop comprehensive national legislation against cybercrime
(including offences relating to online aspects of identity theft such as phishing).
Within the international sphere, another relevant supranational convention is the United
Nations Convention Against Transnational Organized Crime (Palmero Convention,
2000). This convention sets a global bar for what may be considered as ‘serious crime’ and
31
RAND Europe & time-lex
Chapter 5: Responses and mitigation: criminalisation and identity assurance
to some extent lays down requirements for signatories to set out minimum sanctions for
the twelve different sorts of activity classed as organised crime. The utility of using this
instrument to tackle identity theft in respect of trafficking of persons was raised during its
negotiations in 1999–2000 (in the context of identity-related crime as it relates to
immigration). Similarly, the UN Convention on Corruption, which came into force on 14
December 2005, addressed some of the issues pertaining to identity theft by means of
corruption. The convention originated from the General Assembly resolution 55/61 of
December 2000 which recognised that independently of the UN Convention Against
Transnational Organized Crime an international legal instrument should be adopted to
tackle corruption. The international community recognised that corruption is a ‘complex
social and economic phenomenon that affects all countries’ and transcends various forms
of crime including identity fraud.69 Given the potential links between corruption and ID
theft, this source may be relevant when tackling the issue of misuses of identity.
5.4
Public-private international collaboration
The Phishing Enforcement campaign may be seen as a salutary example of the need for
international collaboration. In 2005 there were 121 civil lawsuits filed and 53 legal actions
announced on 20 March, including 10 arrests in France, 7 in Spain, 4 in the UK,
Germany and Morocco, 1 in Austria, Sweden and Egypt and 20 in Turkey. The Global
Phishing Enforcement Initiative (GPEI) launched by Microsoft in March 2006 reported
3,500 take down notices issued since 2003. Other international cooperative activities
included the arrest of 8 individuals in Bulgaria in 2006 as a result of an international
investigation which involved Microsoft under the GPEI. In the Stockholm Programme,
the European Commission was invited to take measures to enhance and improve such
public-private partnerships.
5.5
The European policy response
Europol’s European Union Organised Crime Report for 2003 acknowledged that the
incidence of identity theft and credit card fraud had continued to grow in the EU. Since
then, there has been a degree of convergence between efforts to address the security of the
financial systems and to address credit card fraud and identity theft. In the 2004 Action
Plan on payment fraud prevention, identity theft was highlighted as a growing issue and
the need to strengthen business and consumer confidence in the use of non-cash means of
payment (particularly face to face) was also noted. Also, in 2004, a workshop on identity
theft was held under the EU Forum for the Prevention of Organised Crime.
In 2006 a conference on identity theft was hosted by the European Commission which
identified a number of follow up actions relating to: the need for a common definition of
identity theft in the EU; the need for new EU criminal legislation; the usefulness of
tackling identity theft at EU level, notably by intensifying public-private cooperation; the
69
As of 25 January 2011: http://www.unodc.org/unodc/en/corruption
32
RAND Europe & time-lex
Chapter 5: Responses and mitigation: criminalisation and identity assurance
need for more statistics; the need to strengthen investigations and prosecution by law
enforcement; the desirability of a coordinated effort to raise awareness; the need to
improve or facilitate reporting by victims; and the need to assistt the p
private sector in the
verification of identity documents.
The synergies between prevention of payment fraud and identity theft were recognised at
this meeting, most notably in respect of the complexity of data to measure the effectiveness
of responses, the need for cross-border collaboration (since this is essentially a cross-border
problem) and intergovernmental cooperation, and finally in respect of the ‘messy’ nature
of this policy challenge (crossing as it does the boundary between public and private
sectors). Increased attention to the question of payment fraud was also brought about by A
New EU Action Plan 2004–2007 to Prevent Fraud on Non-Cash Means of Payments
(COM(2004) 679 final), which aimed to establish a coherent pan-European approach to
fraud prevention. In 2007, the Communication From the Commission to the European
Parliament, the Council and the Committee of the Regions Towards a General Policy on
the Fight Against Cyber Crime (COM(2007) 267) expressed regret that identity theft was
not yet criminalised in all EU Member States and proposed that EU law enforcement
cooperation would be better served were identity theft criminalised in all Member States.
The conclusions of a study commissioned by the Portuguese Presidency in 2009 after a
European conference on ‘Identity Fraud and Theft: The Logistics for Organised Crime’ in
2007 also reinforced this; however, it did not go so far as to propose criminalisation in all
Member States. Rather this study recommended that it was necessary to:
Agree on a joint uniform definition of the term identity fraud as well as a joint
uniform approach toward a common legal framework for identity fraud punishment70
A second important development is in respect of the focus of EU policymaking on
cybercrime. Although identity theft does not only occur online, addressing the Internetenabled instances of this form of criminal activity present immediate, tractable and ‘low
hanging fruit’ results in terms of policy impact. The Framework Decision on Attacks
Against Information Systems and the Council of Europe Convention on Cybercrime
(Budapest Convention) are perhaps the two most important legal instruments in this
regard.
The conclusions of the European Council on the Action Plan to Implement the Concerted
Strategy to Combat Cyber-Crime on 26 April 2010 also note financial cybercrime and
online fraud as specific topics likely to require the attention of a single centre which would
carry out a variety of tasks aimed at implementing the cybercrime strategy.71 This would
consolidate and expand upon the functions assigned to Europol’s European Cybercrime
Platform (ECCP) ‘in order to facilitate the collection, exchange and analysis of
information’.
On a more operational level, the High Tech Crime Centre of Europol has also remained
an active stakeholder in supporting investigation and ongoing operational activities.
70
Knopjes (2009)
71
Council Conclusions on an Action Plan to Implement the Concerted Strategy to Combat Cybercrime; 26
April 2010 http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/114028.pdf
33
RAND Europe & time-lex
Chapter 5: Responses and mitigation: criminalisation and identity assurance
Following on from the Council Conclusions of April 2010, in June of the same year,
Europol’s Cybercrime Task Force72 was created with a remit to consider operational and
strategic issues on cybercrime investigations, prosecution and cross-border cooperation in
the fight against cybercrime. The aforementioned ECCP formed part of this Task Force,
which also included the Internet Crime Reporting Online System (ICROS), the Analysis
Work File Cyborg (aimed at fighting criminal groups operating on the Internet), and other
initiatives aimed at supporting law enforcement activities.
This platform was regarded as a first step toward a more consistent and effective approach
to fighting Internet criminality at the EU level. The ECCP originated from a proposal by
the French Presidency in 2008 for Europol to coordinate a European response to Internetrelated crime by creating a means to report offences noted on the Internet. The Presidency
also invited Europol to develop a common and coordinated strategy to fight Internetrelated crimes on an international level. Aside from this focus on the economic drivers and
consequences of identity theft and its treatment primarily as an economic phenomenon,
there is now increasing policy interest in understanding and addressing identity theft and
fraud as a form of criminal activity in the context of other freedom and security issues,
such as the fight against terrorism or illegal immigration.
The 2009 Stockholm Programme contained a wide ranging set of priorities for policy in
the area of justice, freedom and security of direct or indirect relevance to identity theft and
fraud. As well as specific mention of the need for a pan-European reporting mechanism for
identity theft, the Stockholm Programme also indicated how the growing use of personal
data presents opportunities and threats to freedom, security and justice for all. Numerous
actions were identified in areas relating to fraud, immigration and corruption (forms of
criminal behaviour that might be facilitated by identity theft or identity-related fraud), as
well as details on actions to address identity-related infrastructures (in terms of reducing
opportunities for exploitation by implementing more responsible uses of personal data and
greater adherence of globally accepted data protection principles). The Stockholm
Programme and its associated Action Plan also highlights the need for an examination of
whether sufficient approximation exists between Member States regarding certain forms of
crime as identified in Framework Decisions (most notably of relevance, on computer
crime) and whether new legislation is required.
Finally, returning to the question of whether prevention is better than cure, the existing
focus on reform of the EU legal framework governing the use of personal data presents
another opportunity for progress in security identity infrastructures and putting into place
another important preventative aspect of the fight against identity theft. In its
Communication to the European Parliament and the Council of June 2009, the European
Commission noted that various technological drivers were having a major effect upon the
use of personal data, reinforcing the need for a comprehensive and effective legal
framework to address these new challenges (implicit in this is not only the non-criminal
misuse of personal data but also the fact that ineffective adherence to the legal framework
creates opportunities for individuals to exploit insecure data stores and to steal or obtain
personal data).
72
As of 25 January 2011 http://www.europol.europa.eu/index.asp?page=news&news=pr100622.htm
34
RAND Europe & time-lex
Chapter 5: Responses and mitigation: criminalisation and identity assurance
National responses
5.6
Moving to the national sphere, it is clear that states adopt differing approaches to address
the problem of identity theft and identity-related crime. Most experts agree, however, that
the solution must combine both legislative and non-legislative approaches, across both the
public and private sectors (since this is a policy issue covering both).
5.6.1
Legislation
There are a variety of types of legislative instrument that may be developed, drafted or used
to address the types of misuse described previously. These include (see the analysis of the
country reports below for further details):
•
Identity theft legislation (such as in Canada, France or the United States) that
specifically criminalises varying types of misuse
•
Legislation with regard to the protection of personal data (including regulations
that govern the circumstances under which personal data can be collected and for
which it might be processed, and security breach notification laws73)
•
Legislation and regulations relating to identity documents and numbers (such as
national identity cards or social security numbers) that governs the existence, use
and forgery of specific identity tokens or credentials
•
General penal provisions with respect to fraud, forgery and usurpation of titles
(providing these provisions are phrased sufficiently broadly they may be useful and
appropriate for sanctioning even high-tech instances of identity theft), which may
have been amended as a result of international harmonisation initiatives in the
field of high-tech crime (eg, the Council of Europe Convention on Cybercrime)
•
Regulations specific to a particular sector (eg, aimed at fighting organised crime or
terrorism). Generally such legislation provides an indication of the success of the
track record of operational efforts to address this problem
•
Non-criminal regulations (administrative infractions, civil suits and torts, which
may result in non-criminal fines and/or the awarding of damages to victims)
might be available and should be taken into account.
The abovementioned instruments may be combined in practice, and their application does
not exclude other remedies. To give a concrete example, even when general or specific
criminal provisions are applicable, civil compensation or tort is not excluded.
5.6.2
Non-legal responses
As stated before, legislation of whatever type can only go so far in addressing identity theft
and identity-related fraud. Other ‘softer’ solutions are also necessary, including the use of
public-private partnerships (which permit stakeholders from both sides to come together
and discuss issues in a collaborative manner), hotlines and reporting centres (both public
and internal such as those from law enforcement to specialised centres), the collection of
73
Romanosky et al. (2008)
35
RAND Europe & time-lex
Chapter 5: Responses and mitigation: criminalisation and identity assurance
statistics (which permits an evaluation of the effectiveness of measures), user awareness and
reporting mechanisms (to again support strategic prevention ex ante), non-binding forms
of monetary compensation (eg, via alternative dispute resolution schemes such as those in
Canada or retail orientated systems like square trade), and finally technology to improve
the security of identity infrastructures at all points of the identity assurance chain.
36
CHAPTER 6
Conclusions
In the chapters above, we have presented an overview of the literature relating to the
phenomenon of identity theft and identity-related crime. We have shown that the
properties of identity make it difficult to classify types of misuse as theft, since identity has
non-rivalrous properties: when a person decides to (mis)use aspects of a victim’s identity,
this does not inherently rob the victim of those features, although he or she may very well
suffer negative consequences as a result. In economic terms, ‘identity’ as a concept is not
fully subject to unambiguous ownership. It generally cannot be freely traded or forcibly
taken, as its abstract nature and strong inherent link to an individual make it unsuitable to
a qualification as a type of property which can be appropriated by a third party. For this
reason, the notion of identity ‘theft’ is slightly misleading: the types of incidents often
qualified as identity theft (including the examples above) generally would not be covered
by traditional criminal provisions in relation to theft.
Leaving aside these legal and philosophical questions on the nature of identity and its
possible ownership, other important terminology issues arise. If the term ‘identity theft’
indeed does not require anything to be ‘taken away’ in the strictest sense, then should the
concept instead capture all the forms of misuse associated with identity-related
information? If so, then would a broader nomenclature of ‘identity-related crime’ be more
appropriate than the more restrictive ‘identity theft’? Identity theft may, in the case of an
illegal identity information ecosystem (e.g. the production and sale of fake passports), be a
pure form of misuse, the results of which are then offered to others as a criminal service.
More commonly, however, identity theft is a preparatory act intended to facilitate other
crimes. These other crimes are most often motivated by financial or economic gain and
usually take the form of various types of fraud.
In attempting to categorise identity-related crime, there are a number of dimensions which
may be relevant, including: the role of information technology in the commission of the
activity, the mechanisms used to obtain or fabricate identity information; the types of
identity information and stakeholder targeted; and the end criminal use that identity
information is put to (for example, defamation or character assassination, crimes against
persons, medical malfeasance, infiltration of organisations for espionage, sabotage,
terrorism, drug smuggling, money laundering, illegal immigration, etc.). Furthermore,
identity-related misuse/crime can be categorised according to its purpose (related to, but
different from consideration as to whether it is fraud or a separate distinct form of
criminality as described above).
37
RAND Europe & time-lex
Chapter 6: Conclusions
In any respect, the most popular motives for the use of stolen identity documents are
financial, and include obtaining and using credit, procuring cash and fraudulent loan
applications. Identity theft may also be perpetrated as a means for terrorists to hide
themselves and their activities from the authorities, to aid in people smuggling, and as part
of the complex web of activities associated with illegal immigration, money laundering and
various types of fraud.
Looking at the specific means to perpetrate identity theft and related forms of misuse,
there are a broad range of methods identified, spanning a spectrum from suborning
corrupt officials to the physical theft of blank identity documents, to means that use
information technology including phishing (sending emails asking customers to submit
their information to websites purporting to represent their bank or financial institution) or
skimming (taking personal or identifiable data from the magnetic stripes on credit cards
when used at ATMs). Dumpster diving (going through refuse or rubbish trying to find
identity-related information) is another popular method to perpetrate identity theft, as is
shoulder surfing (watching over someone’s shoulder in order to observe and record a PIN
number).
In terms of the consequences of identity-related crimes, estimates vary but there is most
data for the US, Canada, Australia and the UK. For example, according to the last data
available in the UK, the yearly costs relating to identity theft were estimated at £1.2bn. In
Australia estimates vary between US$1 billion and US$3 billion. By comparison, one
estimate from the US indicates that identity theft damage for 2009 was US$54 billion.
The consequences are varied and not only include direct economic damage to the
individual (for example, in terms of direct financial loss due to theft) but also indirect
damage (for example, loss of reputation caused by being mistakenly identified as the
perpetrator of another crime). There are also more indirect socio-economic consequences
too, including loss of trust in the identity infrastructures that have been breached and the
indirect costs that credit card companies end up passing onto the consumer as a result of
the additional security measures they put in place as part of their identity and
authentication infrastructures.
In terms of policy responses, there is wide agreement that a combination of legislation and
non-legislative measures are necessary. There is also a recognition that prevention is better
than cure and that while ex post criminalisation may have its place (as a deterrent and
punishment), policy focus on strategic and operational prevention is equally if not more
important. Such means might include hotlines and reporting centres, awareness raising
activities and one-stop shops. Finally, the collection of statistics was also viewed as
important (and again this touches upon the definitional question as to how to frame
understanding of what data to collect).
The cross-border nature of these forms of criminality also requires coordinated action by
national governments. Supranational instruments, initiatives and measures have a role to
play in this respect, either via international conventions (such as the Convention on
Cybercrime, the UN Convention on Corruption or the EU Framework Decision on
Attacks Against Information Systems) or via industry platforms (for example, the AntiPhishing Working Group) or in the case of European Union, concerted action through
task forces, platforms and action plans.
38
RAND Europe & time-lex
Chapter 6: Conclusions
Nonetheless, at the European level, a first step will be to understand how identity theft and
identity-related misuse is treated at the national level both by legislative and non-legislative
approaches. This will then inform consideration of where policy efforts may be best placed,
either in respect of focusing efforts on the preparation of entirely new legislation
specifically dealing with this form of misuse or perhaps instead on non-legal approaches.
Generating the evidence to inform this consideration is the purpose of the next phase of
this study.
39
CHAPTER 7
Country Summaries
This chapter contains short summaries of the full country reports in Appendix 1: National
Profiles.
Before the summaries themselves, we present summary tables describing the overall picture
across the countries studied. These include an overview using five criteria (Table 11):
•
Existence of specific legislation detailing ID theft
•
Existence of other applicable legislation that is suitable
•
Existence of notable case law regarding the successful application of legislation to
address different specific instances of identity theft/misuse (as defined in the five
characteristics in our study)74
•
Existence of a dedicated reporting point, specifically for identity theft and
identity-related misuse
•
Existence of awareness raising mechanisms.
We also present tables (Tables 12 and 13) describing:
•
Sanctions (minimum, maximum and where data is available, the actual sanction
awarded)
•
Characteristics associated with the reporting mechanism (eg, offline or online
reporting, whether the victim has feedback or progress update).
74
Note that we do not include local or regional instances of case law which may illustrate discrepancies
between towns or cities in the same country
40
RAND Europe & time-lex
Chapter 7: Country Summaries
Table 11 Overall country comparision
Country
Specific ID theft Relevant
law?
provisions in
criminal law?
Case law?
Australia
Austria
Belgium
Bulgaria
Canada
China
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
India
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malta
The Netherlands
Poland
Portugal
Romania
Russian Federation
Slovakia
Slovenia
Spain
Sweden
United Kingdom
United States
41
Specific
Public
dedicated
awareness
reporting point? campaign?
RAND Europe & time-lex
Chapter 7: Country Summaries
Table 12 Comparision of maximum and minimum sanctions
Country
Australia
Austria
Belgium
Bulgaria
Canada
Sanction
Maximum criminal sanction
Up to 10 years (Criminal Code Part 7.3)
Up to 10 years (Sec 148a StGB Penal Act)
Minimum criminal sanction
1 year (Criminal Code Part 7.4)
3 months (Sec 108 Federal Act Enacting a
Telecommunications Act - TKB - 2003)
15 days (Art 124 of Law of 13 June 2005)
Up to 1 year (e.g. Art 319e Para 1 of Criminal Code)
Up to six months (Section 342.01 Criminal Code)
Czech Republic
Up to 10 years (Article 196 Criminal Code)
Up to 20 years (e.g. Art. 212 Criminal Code)
Up to 14 years (Section 380(1) of the Criminal
Code)
Death (Article 192, 194 and 195 of Criminal
Code)
Up to 14 years (Part VIII of the Criminal Code.
Section 333)
Up to 12 years (Section 209 Criminal Code)
Denmark
Up to 6 years (Article 171 Criminal Code)
4 months (Act No 429 on the processing of personal data)
Estonia
Up to 1 year (Section 344)
Luxembourg
Malta
Up to 5 years (Section 213 of the Criminal
Code)
Up to 4 years (Section 2 of Ch 33 of the
Criminal Code)
Up to 10 years (Article 441-4 Criminal Code)
Up to 10 years (Section 263(1) Criminal Code)
Life sentence (Article 1 of Law 1608/1950)
Up to 10 years (Article 318 Criminal Code)
Up to 10 years (Section 70, IT Act 2000 and
2008)
Up to 10 years (Section 9 Criminal Justice
(Theft and Fraud Offences) Act 2001)
Up to 6 years (Art 497bis Criminal Code)
Up to 10 years (Article 246 Penal Code)
Up to 15 years (Section 177(1) Criminal Code)
Up to 6 years (Section 2 of Article 196 of
Criminal Code)
Up to 10 years (Article 196 Criminal Code)
7 years (Article 308, Chapter 9 Criminal Code)
The Netherlands
6 years (Article 255 Criminal Code)
Poland
Up to 8 years (Article 286 Section 1 Criminal
Code)
Up to 10 years (Article 4 Cybercrime Law; Law
no. 109/2009)
Up to 20 years (Art 215 Criminal Code)
Up to 10 years (Article 159 Criminal Code)
At least 3 months (Article 287 Section 1 Criminal Code)
Up to 15 years (Article 221 Criminal Code )
Up to 10 years (Article 211 Criminal Code)
Up to 8 years (Article 399bis Criminal Code)
6 years (Chapter 9 Section 3 Penal Code).
Up to 10 years (Fraud Act 2006)
At least 6 months (Article 226 Criminal Code)
At least 3 months (e.g. Article 237 Criminal Code)
At least 3 months (Article 392, no. 2)
6 months (9 Section 2 Penal Code)
12 months (Section 2. Computer and Misuse Act 1990 as
amended by Police and Justice Act 2006)
Up to 1 year (Section 2701-2711 Criminal Code)
China
Cyprus
Finland
France
Germany
Greece
Hungary
India
Ireland
Italy
Japan
Latvia
Lithuania
Portugal
Romania
Russian
Federation
Slovakia
Slovenia
Spain
Sweden
United Kingdom
United States
Life imprisonment (Title 18 Section 1030 US
Criminal Code)
42
Up to three years (Art 23bis of Criminal Code)
At least 2 years (Section 10 of law of 2004 ratifying
Cybercrime convention)
6 months (Section 232 (1) (a) or (b) of The Criminal Code)
At least 4 months (Section 2 of Ch 36 of Criminal Code)
Up to 1 year (222-16-1 Criminal Code)
Up to six months (Section 269 (3) Criminal Code)
3 months (Section 370C(2) Penal Code)
Up to 1 year (Article 276 Criminal Code)
Up to three years (Section 66 A IT Act 2000, 2008)
Up to 3 months (Section 5 Criminal Damage Act 1991)
At least 6 months (Article 640 Criminal Code)
At least three months (Art. 258 Penal Code)
Up to 2 years (Section 145 Law of 23 March 2000)
Up to 2 years (Art. 198(2))
At least 8 days (Article 231 of the Criminal Code)
Not exceeding 20 days (Article 308, Chapter 9 Criminal
Code)
Maximum 1 month (Section 1 Article 350b Criminal Code)
At least 6 months (Article 256 Criminal Code)
At least 3 months (Article 291 Criminal Code)
Up to 3 months (Article 325 Criminal Code)
RAND Europe & time-lex
Chapter 7: Country Summaries
Country
Australia
Austria
Belgium
Bulgaria
Canada
China
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
India
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malta
The Netherlands
Poland
Portugal
Romania
Russian Federation
Slovakia
Slovenia
Spain
Sweden
United Kingdom
United States
Online
Online
Online
Online
None
None
None
None
None
Offline
Online
None
None
Online
None
Offline
Offline
Online
None
Online
Online
None
Online
Online
None
Offline
None
Online
None
None
None
None
Online
Online
43
n/a
n/a
n/a
n/a
n/a
Feedback
All crime
ID theft
Dedicated
off/online portal?
Table 13 Comparision of reporting mechanisms
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a n/a
n/a n/a
n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
RAND Europe & time-lex
Chapter 7 Country Summaries
Australia
7.1
Australia does not have a federal law which specifically criminalises ‘identity theft’,
although a bill to that effect is before the federal parliament. This bill would introduce a
new Part 9.5 ‘Identity crime’ into the Commonwealth Criminal Code. Although the bill is
not yet federal law, mirror legislation has been adopted by several Australian states and it is
therefore useful to summarise its main features. The bill would introduce the following
three offences: Dealing in identification information; Possession of identification
information; and Possession of equipment used to make identification documentation.
Whereas the federal legislation still has not been passed by Parliament, most Australian
states have now enacted specific identity theft crimes. South Australia and Queensland
took this step before the introduction of the federal bill; other states have done so
subsequently.
Other laws that may apply to ID theft incidents
•
•
•
•
Criminal Code (eg, Part 10.8 or Part 7.3 or Part 7.7)
Privacy Act 1988
Spam Act 2003
Financial Transaction Reports Act 1988
Application of Relevant Laws in Practice
While there is no reported case law arising under any of the specific identity theft
provisions in Australian law, there appears to be a sufficient body of existing law which
could be applied to prosecute perpetrators of identity theft in the examples considered.
Reporting Mechanisms
The Attorney-General’s Department maintains a website on identity security, which
contains links to national strategies as well as a publication ‘Dealing with ID Theft’
(http://www.ag.gov.au/identitysecurity). This document, which is aimed at members of
the public, provides preventative information and includes relevant points of contact for
reporting incidents. Separately, the website SCAMwatch (http://www.scamwatch.gov.au)
is maintained by the Australian Competition and Consumer Commission and includes an
online form for reporting identity theft. Other informational websites are also in existence.
Concluding Comments
Whereas the federal identity theft bill of 2008 has still not been passed by Parliament, the
five most populous states all now have specific identity theft crimes on the books.
Generally, these are not standalone offences; they are based on an intention to commit or
facilitate other criminal conduct. In this regard, they add to the inchoate offences already
provided for by the common law or by statute, eg, attempting to commit a crime. From a
law enforcement perspective, they are potentially useful because they criminalise conduct at
an early stage, before it has gone far enough to constitute an attempt or conspiracy.
However, in practice they have not been utilised. There are no cases arising under any of
the specific identity theft provisions. This may simply reflect that the laws have not been
on the books for very long, although in South Australia (albeit a jurisdiction of a little over
1m people) they have gone unused since their introduction in 2003. Another possible
explanation is that policing of identity theft remains largely reactive. If this is the case, then
44
RAND Europe & time-lex
Chapter 7 Country Summaries
offenders are likely to have committed, or at least attempted, other crimes by the time they
are arrested, making it unnecessary to overload the indictment with additional charges.
Austria
7.2
No legislation has been introduced in Austria that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, ‘cyber crime
provisions’, fraud, etc.). No such legislation is currently under consideration in light of the
information available.
Other laws that may apply to ID theft incidents
•
•
•
•
Penal Act a (eg, Sec 148a) nd Provisions in Connection with ID Theft, Fraud,
Forgery, and Cybercrime.
Privacy and ID Protection Provisions in the General Civil Code
Data Protection Act 2000
Data Protection Provisions in the Telecommunications Act 2003
Application of relevant laws in practice
Despite there being no case law by the Higher Courts or the Austrian Supreme Court in
the area of identity theft, there appears to be a sufficient body of existing law which could
be applied to prosecute perpetrators of identity Theft in the examples considered. For
example, unlawfully using another person’s credentials online could constitute a violation
of the DSG 2000, since the credentials are likely to be considered personal data which are
being unlawfully processed. In the case of using falsified identity documents to unlawfully
apply for social benefits, this would constitute a violation of Sec 43 ABGB, and a violation
of the DSG 2000.
Reporting Mechanisms
While websites exist for: providing information on safe use of the Internet
(http://www.saferinternet.at) and; reporting offences related to child pornography or
National Socialism (http://www.stopline.at), there is no general reporting site for
‘cybercrime’, and none for identity theft in Austria. Consequently, reports regarding
identity theft should be reported to the general IT-Crime Department incorporated within
the
Federal
Criminal
Police
Office
(‘Bundeskriminalamt’)
(http://www.bmi.gv.at/cms/BK/start.aspx).
Concluding Comments
It seems that the legal framework for combating identity theft incidents, but only the ones
causing damages, is sufficiently comprehensive in Austria. However, there is no central
contact point for reporting Internet crimes in general and identity theft in particular in
Austria. Consequently, victims of identity theft are required to go through official channels
(ie, registering a complaint with local police officers) up to the general IT-Crime
Department
incorporated
within
the
Federal
Criminal
Police
Office
(‘Bundeskriminalamt’). This process seems to be rather non-transparent to victims. In
general, identity theft does not appear to take a high priority in every day crime practice in
Austria.
45
RAND Europe & time-lex
Chapter 7 Country Summaries
Belgium
7.3
No legislation has been introduced in Belgium that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.). No such legislation is currently under consideration to our knowledge.
Instead, the policy emphasis in Belgium is more on improving awareness of identity theft
risks with potential victims and law enforcement bodies.
Other laws that may apply to ID theft incidents
• Criminal Code (eg, Art 196) and Provisions in relation to Fraud, Forgery and
Cybercrime (eg, Art 496).
• Data protection law: Law of 8 December 1992 protecting the private sphere in
relation to personal data processing
• Law of 13 June 2005 on electronic communication
Application of relevant laws in practice
There are a number of examples of successful prosecutions of ID Theft incidents in
Belgium:
•
•
•
•
In 2002 the criminal court of first instance in Liège ruled that the use of a false
identity in a web forum to solicit erotic messages to a phone number which did
not belong to him constituted fraud and stalking.
A Supreme Court ruling in 2003 found that using a third party’s stolen credit card
constituted computer-related fraud.
A person who falsified his identity documents in order to obtain social benefits
was sentenced to 3 years imprisonment by the Court of Brussels in 2004.
In 2000 a hacker was convicted by the criminal court in Ghent for violation of
communications secrecy laws, having collected ISP customer data (username,
password, credit card numbers) which he then released to press agencies.
Reporting Mechanisms
The eCops reporting site (www.ecops.be) acts as a single contact point, through which any
Internet-based crime incidents can be reported using standardised forms. Reports
submitted via the site are automatically transferred to the Federal Computer Crime Unit
(FCCU). The eCops site is primary aimed at allowing citizens to report Internet crime that
they have observed but of which they were not the victims. Victims of identity theft and
related crimes are recommended to contact their local police office directly.
Concluding Comments
The legal framework for combating identity theft incidents in Belgium appears to be
sufficiently comprehensive, and has resulted in a number of successful prosecutions. The
eCops site as a central contact point for reporting Internet crimes can be considered a
positive development, although victims of identity theft are still required to go through
local police offices, where the investigation process remains relatively non-transparent.
46
RAND Europe & time-lex
Chapter 7 Country Summaries
Bulgaria
7.4
No legislation has been introduced in Bulgaria that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.). On the other hand, Bulgarian Criminal Code contains numerous provisions
which fix punishments for specific crimes that may involve identity theft incidents.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (eg, Art 209) and Provisions in relation to Fraud, Forgery and
Cybercrime.
Personal Data Protection Act
Electronic Communications Act
Application of relevant laws in practice
There are a number of examples of successful prosecutions of identity theft incidents in
Bulgaria including:
•
•
Bourgas Regional Court in 2008 found the accused guilty of mounting a special
technical device on an ATM machine, through which he had acquired
information contained on bank cards used at that ATM.
Sliven Military Court in 2008 found the accused guilty of disclosing personal data
(including names, personal identification numbers, addresses and photos)
belonging to a group o natural persons, to a single natural person who was not
entitled to access the data.
Reporting Mechanisms
A site (http://www.cybercrime.bg/index.html) was established by the Bulgarian Ministry of
the Interior to act as a single point of contact for reporting Internet-based crime incidents.
This website also contains useful and comprehensible information on some cybercrimes,
including on the risk of identity theft incidents on the Internet and how citizens can
protect themselves against such attacks. In addition, the website of the Bulgarian Personal
Data Protection Commission allows online submission of any complaints related to any
violation of data protection legislation (http://www.cpdp.bg/?p=pages&aid=6).
Concluding Comments
The legal framework for combating identity theft incidents in Bulgaria appears to be
sufficiently comprehensive as there do not appear to be any examples of identity theft
incidents which are not covered under present legislation. The establishment of a contact
point for reporting cybercrimes can also be considered as a positive development.
Nonetheless, there are a few weaknesses. Firstly, the reporting website is not subject to
update or further development. Also, it is not very well promoted among the public. In
practice, victims of identity thefts are still required to go through official channels (ie,
registering a complaint with local police offices). Secondly, the investigation of incidents
remains complicated in practice, especially in cross border cases. In addition, there is no
regulation focused specifically on the online identity theft incidents which are not related
to a fraud or other mercenary purpose but result only in moral damages. Such cases are not
treated as crimes and respectively are not subject to criminal investigation.
47
RAND Europe & time-lex
Chapter 7 Country Summaries
Canada
7.5
On the 31st of March 2009 the Act to amend the Criminal Code (identity theft and related
misconduct), Bill S-4, was introduced in the Canadian Senate. With its coming into force
on the 8th of January 2010, the bill, which – with a few additional offences - covers the
same provisions already proposed in 2007 by Bill C27, has amended the Criminal Code to
cover identity-related crimes. In particular the bill aims to close the gap with respect to
certain activities not previously covered by other provisions of the Criminal Code, such as
preparatory activities.
Other laws that may apply to ID theft incidents
The following central federal laws regulate privacy and data security:
•
•
•
Criminal Code (eg, Section 403) and Provisions in relation to Fraud, Forgery and
Cybercrime
Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy Act
In addition, several privacy laws are also implemented at state and province level, for
example, Ontario’s ‘Freedom of Information and Protection of Privacy Act’.
Application of relevant laws in practice
Given the Act to amend the Criminal Code (identity theft and related misconduct) has
only come into force in the beginning of 2010, one will have to see how these new
provisions are going to be applied over time. Existing privacy law has been used effectively,
for example to change the business practices of a company which collected email addresses
from public websites for marketing purposes.
Reporting Mechanisms
There is no one-stop-shop mechanism in place for reporting identity theft-related crimes in
Canada; rather there are several points of information on fraudulent activities in general
(including identity theft) and a few that specifically target identity theft. These websites
and hotlines are operated by a range of different entities, including Canadian law
enforcement agencies, ministries and other governmental entities, as well as non-for profit
organizations. An example would be the Canadian Anti Fraud Center
(http://www.phonebusters.com). However, none of these hotlines/websites seem to
coordinate the further process, rather they provide guidance on the steps to be taken after
having become a victim, and raise awareness by providing information material to the
public.
Concluding Comments
In light of the federal structure that provides in certain relevant areas for decentralized
layers of applicable regulation in addition to the federal level (eg, data privacy regulation),
it has to be cautioned that the assessment of the most important legislation on federal level
can of course not provide an exhaustive picture. However, in particularly taking into
account the most recent amendments of the criminal code with respect to identity theftrelated crimes, it seems that overall the legal framework for combating identity theft
incidents in Canada is quite comprehensive. How effective the enforcement of the new
provisions will be remains be seen, however. While there is a broad range of information
available online on how to prevent identity theft and what to do in case it happens, there is
48
RAND Europe & time-lex
Chapter 7 Country Summaries
no one-stop shop point for reporting. Victims still have to report to the local law
enforcement office, and contact several administrative agencies in order to remedy the
identity theft.
China
7.6
There is no legislation in China that focuses explicitly on identity theft as a specific crime,
or that defines such a crime. In practice, identity theft incidents are combated using the
relevant provisions in a variety of laws (in relation to privacy protection, fraud, forgery of
authority documents, etc.).
Other laws that may apply to ID theft incidents
•
•
•
•
•
Criminal Code (eg, Article 192, 194 and 195) and Provisions in relation to Fraud,
Forgery and Cybercrime
Measures for the Administration of Protecting the Security of International
Connection to Computer Information Networks (Article 17 December 1997)
Measures for Administration of Email Service on the Internet
Law on the Identity Card of Residents (Article 17 and 18 of Law of 28 June 2003)
Tort Liability Laws applied to privacy breaches (Art 2 of Law of 26 December
2006)
Application of relevant laws in practice
There are examples in case law of prosecutions of both offline and online identity theft
offences. For example, a mother who in 2004 paid to swap her daughter’s identity with
that of another person, in order for her daughter to attend university, was sentenced to a
four year fixed term imprisonment. In another case, in June 2009 four phishing website
operators were arrested and imprisoned for the crime of fraud. Finally, in 2009 an
individual, who illegally purchased a detailed log of telephone calls made by high-ranking
local government officials, then sold it to fraudsters who used it to impersonate the officials
in order to extract money from their friends, was sentenced to 18 months imprisonment.
Reporting Mechanisms
In China, no governmental reporting mechanisms are dedicated exclusively to identity
theft. Cybercrime or other forms of fraud may be reported to the police, in the same way
as any other type of crime. Some non-governmental reporting mechanisms have been
established in some regions. They are however not operated by law-enforcement agencies
and have only an informational function or provide a technical solution.
Concluding Comments
China has no specific anti- identity theft law, nor is there any specific legal stipulation on
identity theft. The legal sources are relatively sporadic (ie, with little coordination) and
complicated. With respect to the criminal punishments, identity theft can be criminalized
as fraud, forgery, hacking or computer system interference, etc. depending on the
circumstances of the cases. With respect to the administrative punishments, there are a
number of laws or regulations addressing the issue from different perspective, such as
computer security, privacy and personal data, confidence and communication, etc. The
legally complex situation frequently puzzles the enforcement agencies. Civil liability is
generally weak and poorly enforced. Most identity theft victims don’t receive any monetary
49
RAND Europe & time-lex
Chapter 7 Country Summaries
compensation and experience tremendous difficulty in resuming their own identity. There
is no centralized identity theft reporting and protection mechanism provided by any law or
operated by any governmental agency. identity theft cases are primarily handled by police
and have to undergo the regular lengthy procedure of investigation and prosecution, which
cannot provide timely legal remedies to the victims.
Cyprus
7.7
Even though there is no specialised legislation applicable in Cyprus concentrating solely on
identity theft criminal issues, nevertheless, identity theft incidents may be combated using
other laws and regulations concerning cybercrime, personal data protection, criminal
sanctions, fraud, etc.
Other laws that may apply to ID theft incidents
•
•
•
•
•
Criminal Code (Section 297) and Provisions in relation to Fraud, Forgery and
Cybercrime
Law of 2004 Ratifying the Cybercrime Convention of 2001
The Processing of Personal Data Law of 2001
Law Regulating Electronic Communications and Postal Services of 2004
The Law for the Protection of Confidentiality of Private Communications
(Interception of Conversations) of 1996
Application of relevant laws in practice
While the existing laws appear to be sufficient to address identity theft, it should be noted
that there is no readily available information about case-law at first instance level because
in Cyprus only cases at appeal level are recorded. Therefore, there may have been cases
judged on identity theft. Examples do exist of prosecutions, for example in 2009 there
were 40 complaints filed with the Office of the Commissioner for the Protection of
Personal Data regarding unsolicited marketing against an email marketing company. A
fine of EUR 8000 was imposed.
Reporting Mechanisms
SafenetCY is the Cyprus Self Regulatory Body for Internet Content. It is the Hotline that
promotes the safe use of Internet in Cyprus. Every report is recorded at SafeNetCY’s
Database. From that point every procedure has to be completed no later than 24 hours
from the time the report was made. The procedures include: verification, tracing the
source, notifying Cyprus Police and notifying foreign hotlines if necessary. Usually, victims
of ID theft report an incident directly to the police by visiting a police station of their area.
Concluding Comments
Due to the fact that the Republic of Cyprus has ratified the Cybercrime Convention and
has harmonised Cypriot legislation with the applicable acquis communautaire, globally, it
can be said that the legal framework for combating identity theft incidents in Cyprus is
adequate. The establishment of the SafenetCY Hotline has also facilitated the
establishment of efficient reporting mechanisms. Victims of identity theft may report any
event either through the SafenetCy Hotline or appeal directly to the Police. The SafenetCy
Hotline is not promoted as a site for reporting Internet crimes only by non-victims but to
the contrary it is a forum for actively protecting victims. identity theft appears to take a
50
RAND Europe & time-lex
Chapter 7 Country Summaries
high priority in investigations, especially in cases of clear and significant harm to the
victim. There are many reports in various public media regarding the Police’s efforts and
work in fighting cybercrime and identity theft especially where there are sexual offences
against minors involved or theft. Investigation of incidents in cross border cases is regular
in collaboration with INTERPOL and EUROPOL. There have been many instances
where persons have been extradited to their country of origin in order to be tried for
cybercrime offences committed on an international level.
Czech Republic
7.8
No legislation exists in the Czech Republic that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. Introducing identity theft as a crime had been
considered during the preparation of the new Penal Code in 2009; however no such crime
was included when the Penal Code was adopted.
Other laws that may apply to ID theft incidents
•
•
•
•
The Criminal Code (eg, Section 209) and Provisions in relation to Fraud, Forgery
and Cybercrime
Data Protection Act 2000
Electronic Communications Act
The Civil Code (Section 11 of Civil Code of Feb 26 1964)
Application of relevant laws in practice
In 2008 an offender stole a passport of another person and acted as this person during
criminal proceedings concerning theft, in which the offender was also found guilty under
the other person’s name. The offender was subsequently accused of a criminal offence
consisting in harming a third party’s rights. The criminal proceedings are ongoing and a
sanction has not been imposed yet. The sanction may be imprisonment for up to two
years. In addition, there have been several cases involving phishing in relation to which a
criminal investigation has been initiated, but to our knowledge no final judgements have
thus far been issued in these cases.
Reporting Mechanisms
Where ID theft can be considered a violation of criminal law the incident is to be reported
to the Police in line with standard procedures. No special reporting mechanism has been
established. The following websites focus on safety on Internet. The first forms part of the
EU program ‘Safer Internet’, the second and third websites have been endorsed by the
Czech Police and Ministry of Education:
•
•
•
http://www.saferinternet.cz/o-projektu
http://www.emag.cz/komiks-bezpecny-internet/
http://www.internethotline.cz/co-a-jak-hlasit-co-nehlasit.htm
Concluding Comments
The Czech Republic has adopted a new law significantly changing the punishment of
cybercrime. With its entry into effect on 1 January 2010, the new Criminal Code includes
a range of provisions sanctioning cybercrime. The proposals for these provisions were
based on the Cybercrime Convention approved by the Committee of Ministers of the
51
RAND Europe & time-lex
Chapter 7 Country Summaries
European Council in 2001 (the Convention), which the Czech Republic signed in 2005
(but which has yet to be ratified by the Czech Republic). Another related issue is the lack
of incentives to report identity theft. For example, the banks and other financial
institutions whose clients fell victim to identity theft were often reluctant to report these
crimes to the law enforcement authorities out of fear for reputational damage and loss of
credibility, and they preferred instead to compensate their clients for any financial losses.
The new Criminal Code takes into consideration recent developments in information
technology and the know-how of cybercriminals, heralding a significant change in the
prosecution of cybercrime in the Czech Republic.
Denmark
7.9
No legislation has been introduced in Denmark that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.).
Other laws that may apply to ID theft incidents
•
•
•
The Criminal Code (Article 171) and Provisions in relation to Fraud, Forgery and
Cybercrime
Act on processing of personal information (Act No 429 31 May 2000)
Consolidation Act on competition and consumer relations within the telecommunications market, 28 June 2007.
Application of relevant laws in practice
Several cases are known in relation to using a third party’s stolen credit card, which is
found to constitute fraud. In the online sphere, in a case from 2000 decided by the Eastern
High Court a person was convicted for getting access to a third party’s computer and
passwords by using a hacker program. The hacker was sentenced to imprisonment with
suspended extension. The length of imprisonment was not decided. The result was the
same in another case from 2002 published in Ugeskrift for Retsvæsen, 2002, p. 1064.
Reporting Mechanisms
No general identity theft reporting mechanisms exist in Denmark. The Danish IT and
Telecom Agency has launched a website called ‘IT-citizen’ which also provides information
on security aspects, including identity theft (http://www.it-borger.dk/sikkerhed).
Concluding Comments
It seems that the legal framework for combating identity theft incidents in Denmark is
sufficiently comprehensive, as there do not appear to be any examples of identity theft
incidents which are not covered under present legislation. Some criticisms have been raised
that creating a false identity on-line would not be prohibited under Danish law. However
it must be expected that such actions would be covered by the Danish data protection act
and further by articles under the Criminal Code depending on how the false profile is
created and which information is received.
It could be considered a weakness that no general contact point for reporting identity theft
exists. However at present this does not seem to have caused any public criticisms.
52
RAND Europe & time-lex
7.10
Chapter 7 Country Summaries
Estonia
The main provisions that regulate the identity theft in Estonia as a specific crime or that
define such a crime are written in the Estonian Penal Code. In Estonia criminal offences,
including identity theft, can only be regulated in the Penal Code. Under the Penal Code
identity theft has been criminalised since 15.03.2007.
Other laws that may apply to ID theft incidents
•
•
•
Penal Code, 2002 (e.g Section 209)
Personal Data Protection Act, 1 January 2008
The Constitution of the Republic of Estonia, 3 July 1992
Application of relevant laws in practice
The Estonian Supreme Court (‘Riigikohus’) dealt with cases where third party’s Bank
Identifier Codes have been used to get access to Internet Bank Account. The Supreme
Court found this to constitute computer-related fraud. For an offline example, the
Estonian Supreme Court ruled on a case in 2009 where a person falsified an important
identity document (ex § 347 of the Criminal Code), id est a passport, to conclude a buying
contract of mobile phones.
Reporting Mechanisms
Victims of identity theft or identity-related incidents are recommended to contact the local
Police directly. The website of the Estonian Police and Border Guard Board
(http://www.politsei.ee/et/nouanded/it-kuriteod/) provides information about identity
crimes and how to protect oneself and how to contact the police if you are a victim of
identity theft or IT crime. The police also provide information about fraud and computerrelated fraud. To raise Computer Security and identity theft awareness among the general
public several other informational websites have been launched (see for example
http://www.arvutikaitse.ee and http://www.assapauk.ee).
Concluding Comments
The legal framework for combating identity theft incidents in Estonia is sufficiently
comprehensive and flexible. There do not appear to be any examples of identity theft
incidents which are not covered under present legislation. One weakness is that the
country does not have any identity theft reporting mechanisms (websites) but there is
always the possibility to report the malpractice to the Police. Victims of identity theft are
required to go through official channels to report about the theft (ie, registering a
complaint with local police). This process can be slow and it seems that identity theft does
not appear to take high priority in investigations, except in case of clear and significant
harm to the victim.
7.11
Finland
No legislation has been introduced in Finland that focuses explicitly on ID theft as a
specific crime, or that defines such theft as a crime. However, stealing and/or using
someone else’s ID would most likely constitute violation of other provisions of law (eg,
Personal Data Act, 523/1999, and Criminal Code, 39/1889).
53
RAND Europe & time-lex
Chapter 7 Country Summaries
The Finnish Ministry of the Interior has set up a working party to assess the protection of
identity by legal means and the report of the work should be published during the spring
of 2010. Pursuant to the initial information given by the Ministry of the Interior, the
working party will not be proposing criminalization of identity theft as a specific crime but
will submit this issue to be further considered by the Finnish Ministry of Justice.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (eg. Section 2, Ch 36) and Provisions in relation to Fraud, Forgery
and Cybercrime
Personal Data Act 1999
The Act on the Protection of Privacy in Electronic Communications
Application of relevant laws in practice
There are several cases specifically in relation to using a third party’s stolen credit card.
Paying purchases with a stolen credit card is considered as a fraud in Finland. However,
most of these offences are not made on-line. For example, in 2009 the Kouvola Court of
Appeal ruled that usage of a found credit card and falsifying the signature when paying by
the card constituted a fraud and forgery.
Reporting Mechanisms
In Finland one can report identity theft to a police if it involves a suspected crime. It is
possible to do an electrical report of an offence via police’s website. The website offers
special forms for reporting crimes (http://www.poliisi.fi). Finnish Communications
Regulatory Authority (in Finnish: Viestintävirasto) is an authority which maintains an
overview of the functionality of electronic communications networks and information
security, and reports of eventual information security threats. There is a form for reporting
information security offences available in the website as well as basic instructions on
information security matters. It is also possible to inform all cases which involve the misuse
of personal data to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun
toimisto) which is an independent authority operating in connection with the Ministry of
Justice. The website includes a lot of information on data protection in general as well.
Concluding Comments
The main challenge/problem in Finland seems to be that identity theft itself is not
criminalized and so the Criminal Code covers certain forms/types of identity thefts only.
identity theft is not a criminal offence unless it involves unlawfully appropriating of
property (fraud) or spreading false information or a false insinuation of another person so
that the act is conducive to causing damage or suffering to that person or subjecting that
person to contempt (defamation). Further, one can argue it is problematic that in cases of
fraud the injured party of ID theft is not considered to be the person whose identity has
been stolen but for example the store where the purchase was made with the false identity.
Based on the above, one can likely argue the current legislation does not protect the ‘real’
injured party enough.
7.12
France
The French Criminal Code contains a specific provision for identity theft (Article 434-23).
The wording of this article, however, leaves out a number of cases wherever identity theft
54
RAND Europe & time-lex
Chapter 7 Country Summaries
does not trigger any legal or economic consequence for the victim. Such acts are nowadays
pursued under other crimes such as libel or misappropriation of correspondence. However,
conducts which do not constitute by themselves a crime remain unpunished. This is for
instance the case of fraudulent use of emails by third parties for, for example, affiliating the
victim to a political party or other associations. Similarly, phishing can not be currently
punished under Criminal Law if not followed by potential initiation of criminal
prosecution against the victim. In order to solve this legal loophole, the creation of a new
crime that would punish identity theft in electronic communications is currently being
discussed by the French Parliament. If approved, the act (known as LOPPSI 2) would
introduce a new article into the Criminal Law Code.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (Article 441-4) and Provisions in relation to Fraud, Forgery and
Cybercrime
Data protection law (Act n°78-17 of 6 January 1978)
Civil Code (Article 9)
Application of Relevant Laws in Practice
There are a number of examples of successful prosecution of identity theft offences in
France including:
•
•
The ruling of the Supreme Court of 20 January 2009. The authors of the crime
had published pictures of the victim naked on Internet making use of her email
address. The offenders have been convicted on the basis of article 434-23 of the
Penal Code (identity theft) and the right to privacy.
In the High Court ruling of 2004, the First Instance Tribunal of Paris sanctioned
a phishing attack on the basis of fraud, unlawful access to a computer system and
unlawful alteration of data contained in such system. The convicted had mirrored
a bank website and by these means managed to order transfers of funds of his
victims to chosen bank accounts. The offender has also been convicted for
attempted fraud and fraudulent access to an automated data processing system and
received a suspended prison sentence of one year and a fine of 8,500 euros.
Reporting Mechanisms
There is no specific identity theft reporting mechanism in France. Several public awareness
campaigns have been launched on the basis of private initiatives, mainly related to financial
identity theft.
Concluding Comments
It seems that the legal framework for combating identity theft incidents in France is
sufficiently comprehensive. The identity fraud offence as punished under the Criminal
Code is hardly used in legal procedures when it comes to online identity fraud. Other
crimes are better suited to protect the victims from these practices such as fraud or
unauthorised access to an information system. The introduction of a new crime of digital
identity theft will better address the problems raised by online identity theft.
55
RAND Europe & time-lex
7.13
Chapter 7 Country Summaries
Germany
No legislation has been introduced in Germany that focuses explicitly on identity theft as a
specific crime and hence defines such an identity theft crime. In practice, identity theft
incidents are combated using the general provisions of the laws set forth below, in
particular in relation to the laws concerning the right to one’s own name, the protection of
personal data against unauthorised use, and the criminal offences of data espionage, data
interception, data-related forgery, fraud, computer-related fraud, data alteration and
computer sabotage.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (Section 263 (3))
Telecommunications Act (eg, Section 88)
Federal Data Protection Act
Application of law in practice
There are a number of examples of successful prosecution of identity theft offences in
Germany including:
•
•
•
In civil proceedings, claimants have based their action against the unauthorised use
of their name by another person on the infringement of their right to their own
name pursuant to section 12 BGB. There is a string of well established cases where
courts have found that this right to one’s own name entitles to forbid the
unauthorised use of the same name by another person, in particular if the use of
the same name causes a likelihood of confusion.
In both civil and criminal proceedings concerning the unauthorised use of
unlawfully obtained data containing personal identity information, courts have
found that the unauthorised use of such unlawfully obtained data for a transaction
causing damage to the victim’s financial position may constitute a criminal offence
of fraud or computer-related fraud.
Prevailing case law criminalises the act of using spyware itself as a hacker tool
preparatory to an intended data espionage, data interception, data tempering or
computer sabotage only if this spyware has been objectively designed or adapted
primarily for the purpose of committing intended data espionage.
Reporting Mechanisms
There is no German language website which is dedicated solely and exclusively to identity
theft where victims of ID theft could use an official reporting mechanism in order to file
their charges. However, several websites focussing on Internet security and cybercrime in
general offer valuable advice and guidance for consumers who seek to protect themselves
against identity theft (for example http://www.bfdi.bund.de).
Concluding Comments
In general, it seems that the legal framework for combating identity theft in Germany is
sufficiently comprehensive, as there do not appear to be any relevant cases of identity theft
incidents which may not be covered by the available laws at present. Data breach disclosure
laws act as one remedy for identity theft. The effectiveness of data breach disclosure law
relies on the actions taken thereupon. Therefore, it is important to raise public awareness
56
RAND Europe & time-lex
Chapter 7 Country Summaries
of identity theft risks with consumers, businesses, state agencies and law enforcement
bodies.
7.14
Greece
No legislation has been introduced in Greece that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.). No such legislation is currently under consideration to our knowledge.
Instead, the policy emphasis in Greece is more on improving awareness of ID theft risks
with potential victims and law enforcement bodies. It should be noted that Greece has still
not ratified the Council of Europe Convention on Cybercrime nor has it transposed the
EU Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against
information systems into the Greek legal system.
Other laws that may apply to ID theft incidents
•
•
•
Penal Code (eg, Art 386)
Protection of Individuals with regard to the Processing of Personal Data.
Protection of personal data and privacy in the electronic telecommunications
sector.
Application of law in practice
There are a number of examples of successful prosecution of identity theft offences in
Greece including:
•
•
•
A defendant created a Facebook account under a fake name and posted
defamatory information about and documents of the plaintiff. This act was
considered as unlawful processing of personal data and violation of the personality
of the defendant. However it should be noted that the decision on the case is not
final yet.
Several cases of prosecution are known, specifically in relation to using a third
party’s stolen credit/debit card.
In a case in which the defendant was intercepting credit card and identity details
online and selling them to third parties via the Internet, the Supreme Court ruled
that Fraud (and not Fraud with a computer) had taken place.
Reporting Mechanism
Saferinternet.gr (www.saferinternet.gr) is the awareness-raising and information website of
the Greek Awareness Centre, under the auspices of the Hellenic Ministry of Economy and
Finance/Special Secretariat of information society in cooperation with various private and
public market players. Saferinternet.gr serves as an information portal for Internet-based
crimes, but focuses also on identity theft. The hotline SafeLine (http://www.safeline.gr/)
exists for the reporting of violations (including identity theft incidents). Although SafeLine
focuses mainly on illegal Internet content, it is also used as the reporting mechanism for
any Internet-based crime, including identity theft.
57
RAND Europe & time-lex
Chapter 7 Country Summaries
Concluding Comments
Greece has still not ratified the Council of Europe Convention on Cybercrime (185).
Similarly it has not transposed the EU Council Framework Decision 2005/222/JHA of 24
February 2005 on attacks against information systems into the Greek legal system, analysis
shows that most of the identity theft cases can be covered under the current legislation.
7.15
Hungary
Identity theft is not a specific crime under Hungarian legislation. While some elements
related to identity theft, such as personal data abuse, illegal access to computer systems or
communications networks are covered by specific acts, these behaviours are punishable
under the Criminal Code as well as fraud and forgery. The preparation of the bill on IT
Security was finished in 2009. The bill gives the definition of identity theft, and if it will
be enacted timely these crimes should be sanctioned by the (amended version of the)
Criminal Code from January 1, 2011.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (eg, Article 318)
Protection of Personal Data and the Disclosure of Information of Public Interest.
Act on electronic communications
Application of law in Practice
In a case in 2007, the Municipal Court heard the case of a bank employee and an
accomplice who without authorization collected the account details of 7 clients containing
large amounts of money from the bank information system and transferred money into
two bank accounts opened using lost and falsified identity documents. The Municipal
Court found the defendants guilty of fraud together with the crime of violation of banking
secrecy and the offense of forgery of official documents.
2302 denunciations were made because of abusing personal data in 2007 according to the
statistics of the General Prosecutor's Office from this the investigation was ceased in 2207
cases in the prosecutorial phase. Much less, 262 denunciations arrived in 2008, but among
these 158 investigations ceased, and in 68 cases the denunciation was rejected. The
majority of the rejections happened because of the deficiency of the significant injury of
interest.
Reporting Mechanisms
If action is required the incident should be reported to the police. The police shall answer
in three days or inform about the responsible authority. This is a general rule covering
identity theft or other online-related crime as well. The National Cyber security Center
publishes daily and weekly reports about vulnerabilities, risks and incidents and quarterly a
summary and analysis, with other professional papers. It operates the National General
Duty Service of Informatics and Communications, an onsite 24/7 duty service to handle
incidents.
Concluding Comments
The legal framework is sufficiently comprehensive in the field of personal data protection
and computer crime. The act on electronic communications regulates the functions of the
state and the service providers essentially governed by market competition. The act
58
RAND Europe & time-lex
Chapter 7 Country Summaries
provides for the protection of systems security, however, it does not prohibit any form of
unauthorized access by any unauthorized natural or judicial individual which is sanctioned
by the Criminal Code at the same time. The preparation of the bill on IT Security in 2009
should be considered positively, should it be soon enacted by the Parliament.
7.16
India
There is no general data protection law in India. The Constitution of India, ratified in
1950, does not explicitly recognize the right to privacy. However, the Supreme Court first
recognized in 1964 that there is a right of privacy implicit in Article 21 of the
Constitution, which states, ‘No person shall be deprived of his life or personal liberty
except according to procedure established by law’. Here there is no mention of the word
‘privacy’ instead the term ‘personal liberty’ has been used. The Information Technology
Act 2000 (IT ACT 2000) was notified on Oct 17, 2000 by the Indian Parliament. An
amendment to the 2000 Act was proposed in 2005/2006, it was amended through the
Information Technology Act 2008 and was notified by the Indian Parliament on Oct 27,
2009. The amended Act addresses a lot of cyber security, and privacy issues.
Other laws that may apply to ID theft incidents
•
•
•
Indian Penal Code, 1960
IT ACT 2000
Special Relief Act, 1963
Application of law in Practice
Several examples exist of applying existing law to identity theft cases, particularly in the
areas of unlawfully using another person’s credentials, and trafficking in unlawfully
obtained pictures and videos.
Reporting Mechanisms
Indian citizens have many venues to report identity theft:
•
Indian Computer Emergency Response Team (CERT-IN)
•
Cyber
Crime
Investigation
Cells
http://www.cybercellmumbai.com/ in Mumbai)
•
Cyber
Crime
police
stations;
http://www.cyberpolicebangalore.nic.in/
an
across
example
India
in
(eg,
Bangalore
The caveat is that the reporting mechanisms are not promoted as they should be and
therefore, the numbers of incidents that are reported are far less than actual ones.
Concluding Comments
The laws appear sufficient to cover all incident of identity theft in some form or the other,
but the problem seems to be the gap between the technologist and lawyers in India. There
is very little interaction between these two communities. There is also a dearth of
knowledge on the techno-legal aspects of the identity theft issue. One main thing that
India needs to look at is capacity building, to train technologist about law and
lawyers/investigating officers about technology. Given the plethora of issues and huge
population in India, it may not be appropriate to expect quick responses with respect to
59
RAND Europe & time-lex
Chapter 7 Country Summaries
solving the identity theft problem. Some of these cases take long time and it is highly likely
that there are many cases that are being discussed in the court as this report is written.
7.17
Ireland
There is no Irish legislation focusing specifically on identity theft. Identity theft incidents
would be dealt with through provisions relating to fraud or data protection. No such
identity theft laws are currently under consideration by the lawmaker according to the
available information.
Other laws that may apply to ID theft incidents
•
•
•
•
•
Criminal Justice (Theft and Fraud Offences) Act 2001
Criminal Damage Act 1991
Data Protection Acts 1988
Data Protection (Amendment) Act 2003
Postal & Telecommunications Services Act 1983
Application of law in Practice
There are relatively few examples in case law of identity theft-related incidents. However,
one example of Irish law in practice was the dealing by the Data Protection Commissioner
with an inquiry relating to an offer of the ‘gift’ of a database of names and addresses that
had been made to a charity. The charity asked for advice from the Commissioner’s office as
to whether they could accept this gift. The Commissioner expressed the view that
acceptance of the gift would involve breaches of the fair obtaining and compatible
processing requirements of the Data Protection Acts. In addition, a number of
prosecutions have taken place for passport fraud.
Reporting Mechanisms
No dedicated identity theft reporting mechanisms exist. The ‘www.hotline.ie’ service
provides a facility for the public to report suspected illegal content encountered on the
Internet. It is mainly concerned with material such as child pornography but it appears
that it does receive complaints concerning identity theft and phishing.
Concluding Comments
Regarding the issue whether or not the laws are sufficiently flexible to cover all incidents of
identity theft, the laws appear to be suitable in terms of covering all incidents of identity
theft in Ireland. The Data Protection Commissioner is of the view that identity theft is not
a significant issue in Ireland. The Commissioner takes the view one reason for this is the
absence of a unique national identity number in widespread use. For what concerns the
application and effectiveness of these laws in practice, the main challenges include issues
relating to detection and the gathering of evidence. The often cross jurisdictional nature of
the problem exacerbates these problems. Regarding the reporting mechanisms and
following up of investigation, there is no dedicated identity theft reporting mechanism in
place. While such a mechanism could be useful, the establishment of a new reporting
mechanism could be a source of confusion to the public. It might therefore be better to
run a public information programme making it clear that incidents of identity theft should
be reported to the Data Protection Commissioner or, where there is criminal intent, to the
60
RAND Europe & time-lex
Chapter 7 Country Summaries
police. The institution of a mechanism for the online reporting of identity theft involving
criminal intent via the Garda website could be explored.
7.18
Italy
No legislation has been introduced in Italy that focuses explicitly and directly on identity
theft as a specific crime, or that defines such crime comprehensively. Currently, identity
theft-related crimes, in their various expressions, are contrasted through the general
provisions below listed. No such legislation is currently under evaluation or definition. The
policy emphasis in on improving awareness of such crime among citizens and on law
enforcements bodies.
Other laws that may apply to ID theft incidents
•
•
•
•
Code of criminal procedure (Art 640 ter)
Italian Constitution
Code of protection of personal data
Code of conduct for telecommunications
Application of law in Practice
There are a number of examples of successful prosecution of identity theft offences in Italy
including:
•
•
In 2008, a cyber attack against the Italian Group ‘Poste Italiane’ (Italian Post
Company) and one of the major banking and financial institutions (Banca Intesa)
was prosecuted under art. 494 of the Criminal code (‘substitution of person’),
calling for the intent of criminals to use false identity to break into the companies’
electronic systems and steal money.
Cases of ‘sms phishing’ and online phishing have been prosecuted. For example, in
2008 a courthouse condemned a 24 year old man for ‘manipulation of electronic
communication for the purpose of fraud’ to 1 year and 8 months imprisonment.
Reporting mechanisms
•
Polizia Postale e delle comunicazioni (TLC and Postal Police): the specialized
police branch in prevention of cyber crimes and investigation for electronic
crimes, prevention of hacking, secrecy of communication and the fight to online
pedo-pornography. It operates through 20 regional offices and an electronic
window for reporting crimes.
•
Commissariato online (online police office): the most recent and state-of-the art
reporting
mechanism.
Through
an
electronic
window
(http://www.commissariatodips.it/) crimes can be reported directly and with
instant opening of a crime report
Concluding Comments
From a general perspective, the Italian legislation to prevent and punish identity theft and
other cyber-related crimes is in quick and growing evolution. Within the framework of
European cooperation, Italy is updating most of its civil and criminal provisions to fight
such phenomena. Furthermore, there is a divisive political debate involving the Italian
Parliament and social actors about a potential reform of the law on secrecy of
61
RAND Europe & time-lex
Chapter 7 Country Summaries
communications (mainly based on wiretapping procedures and guarantees). It is highly
probable that the law will change very soon, implying a more restrictive interpretation of
procedures to authorize wiretapping and harsher sanctions for people violating data
protection (especially in terms of news leaks).
7.19
Japan
No legislation has been introduced in Japan that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.) No such legislation is currently under consideration to our knowledge. Instead,
the policy emphasis in Japan is more on improving awareness of identity theft risks with
potential victims and law enforcement bodies.
Other Laws that may apply to ID theft incidents
•
•
•
•
•
•
Penal Code (eg, Act No. 45 of April 24, 1907)
Act on the Protection of Personal Information Held by Administrative Organs
Act on the Protection of Personal Information Held by Independent
Administrative Agencies
Act on the Prohibition of Unauthorized Computer Access
Family Registration Act
Passport Act
Application of law in practice
There are a number of examples from case law in Japan relating to the claiming of a false
identity online, unlawfully using another person’s credentials, phishing, and trafficking in
unlawfully obtained personal information.
Reporting Mechanisms
In Japan, there exists no dedicated reporting mechanism for on-line or offline identity
theft. However a website called ‘National Police Agency, Internet safety and security
consultation
(keisatsucho
intanetto
anzenn
anshin
soudan)’
(http://www.npa.go.jp/cybersafety/) provides information and consultations services
related to phishing and unauthorized access to information. There are a number of other
websites which provide information on identity theft and cybercrime, including the
National Policy Agency’s ‘Cybercrime Project’ (http://www.npa.go.jp/cyber/).
Concluding Comments
Globally, it seems that the legal framework for combating identity theft incidents in Japan
is sufficiently comprehensive, as there do not appear to be any examples of identity theft
incidents which are not covered under present legislation. In Japan there is not a portal site
to report Internet crime, but various organizations including the National Police Agency
continue to work on informing the public. None the less, there are also a few weaknesses.
Firstly, when the victim encounters or almost encounters damage from cybercrime, the
police offices conduct a consultation and a report, but they do not come to public
attention. Victims of identity theft are required to go through official channels (ie,
registering a complaint with local police offices). identity theft does not appear to take a
high priority in investigations, except in cases of clear and significant harm to the victim.
62
RAND Europe & time-lex
Chapter 7 Country Summaries
Secondly, the investigation of incidents remains complicated in practice, especially in cross
border cases. In Japan, many people do not seem to understand yet the value placed on
information, and the menace of the fraudulent use of information.
7.20
Latvia
In Latvia no laws which focus explicitly on identity theft have been introduced. The
phenomenon of identity theft, which may take multiple forms, is combated with the help
of the general laws, related to personal data protection, provision of communications
services, as well as with the help of various administratively and criminally punishable
offences. To our knowledge, no legislation, focusing explicitly on identity theft, is
currently being considered. However, in the beginning of March of this year the Cabinet
of Ministers has tasked the Ministry of Transportation to develop a new law on cyber
security.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Law (eg, Section 177)
Personal Data Protection Law
Electronic communications law
Application of law in practice
Although no case law related to identity theft is publicly available, there do not appear to
be any examples of identity theft incidents which are not covered under present law. For
example, the act of phishing would like be, amongst other things, a violation of the
personal data protection law, since the credentials are likely to be considered personal data
which being unlawfully processed. The act of using falsified documents to unlawfully apply
for social benefits would likely be a violation of Section 275 of the Criminal Law
(Forgery).
Reporting Mechanisms
Computer incidents can be reported either by telephone or online at [email protected] to the
Computer Security Incident Response Team (DDIRV), which initially was established as a
department of the State information network agency. DDIRV’s basic service (for example,
recommendations in case of computer security incidents) is available for both registered
and unregistered clients, but only IT administrators of State and municipal institutions can
voluntarily register for additional benefits like pre-emptive information about threats that
might affect their systems. In addition, suspected illegal operations with personal data
should be reported to Data State Inspectorate, by submitting the application either
personally or via post, or by sending information electronically (if signed by a secure
electronic signature).
Concluding Comments
It seems that the legal framework for combating identity theft incidents in Latvia is
sufficiently comprehensive. The tradition of defining administratively and criminally
punishable offences in codified laws – the Latvian Administrative Violations Code and the
Criminal Law, respectively, is long-standing, and therefore an absence of a specific law,
focusing explicitly in identity theft, does not seem to create any difficulty, since the existing
sources may easily apply to identity theft incidents. On the other hand, earlier this year a
63
RAND Europe & time-lex
Chapter 7 Country Summaries
large amount of personal data was stolen from the information systems of the State
Revenue Service. The data about the incomes of persons is publicly revealed from time to
time, and it seems that the State Police has had huge difficulty finding persons responsible
for the. This highlights the challenge is often the practical implementation of the laws
rather than with the laws themselves. Moreover, data about the actual number of
administrative and criminal offences related to identity theft, as well as a complete database
of the court practice, is not publicly available.
7.21
Lithuania
No legislation has been introduced in Lithuania that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection, fraud
etc.). No such legislation is currently under consideration according to the information
available.
Other laws that may apply to ID theft incidents
•
•
•
The Criminal Code (eg, Article 198)
Legal protection of personal data, 1996
Law on Electronic Communications, 2004
Application of law in practice
Several cases are involving falsified identity documents, specifically in relation to using
falsified passports. For example the Supreme Court of Lithuania ruled on a case where a
person falsified a passport. The defendant was convicted for violation of paragraph 2 of
Article 300 of the Criminal Code, which prohibits falsifying a passport, identity card,
driving licence or state social insurance certificate, and was sanctioned with imprisonment.
Reporting Mechanisms
To facilitate the reporting of IT security incidents (including, but not limited to, system
intrusion, phishing, spam, spyware etc.), a general reporting website (www.cert.lt) was
established by CERT-LT in Lithuania. CERT-LT is the Lithuanian National Computer
Emergency Response Team whose task is to promote security in the information society by
preventing, observing, and solving information security incidents and disseminating
information on threats to information security. CERT-LT activities are managed by the
Lithuanian Communications Regulatory Authority. CERT-LT publishes annually and
quarterly statistical reports on the status and developments of online-related crimes and
security treats in Lithuania. CERT-LT website provides users with general information
regarding online incidents and the ways to combat them. The website of CERT-LT acts as
a single contact point, through which IT security incidents can be reported by filling the
online form either in Lithuanian or English language. By submitting the report it is
required to provide the email address and the description of the IT incident. It should be
noted that the CERT-LT website is primarily aimed to allow citizens to report information
security incident or threats that they have observed but of which they were not the victims.
Victims of such incidents, if any damages were suffered, are recommended to contact
directly the local police office or the Lithuanian Cyberpolice (http://www.cyberpolice.lt).
64
RAND Europe & time-lex
Chapter 7 Country Summaries
Concluding Comments
It appears that the legal framework for combating identity theft incidents in Lithuania is
sufficiently comprehensive to cover identity theft incidents described in this report.
Furthermore, the establishment of a single contact point for reporting IT security incidents
(the aforementioned CERT-LT website) should be considered as a positive development in
combating IT security threats. However, CERT-LT does not investigate the Internet
crimes associated with identity theft. Victims of identity theft are still required to go
through official channels (ie, registering a complaint with the local police office or
Cyberpolice). This process is still not transparent enough to victims. The follow-up of such
complaints can be rather slow. It should be also noted that there is not enough public
available information about Internet-based crimes, especially in case of identity theft.
7.22
Luxembourg
No legislation has been introduced in Luxembourg that focuses explicitly on identity theft
as a specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.). No such legislation is currently under consideration to our knowledge.
Other laws that may apply to ID theft incidents
•
•
•
•
Criminal Code (Article 231 of the Criminal Code)
Law on the protection of individuals with regard to the processing of personal data
Law of 11 August 1982 on privacy
Law of 30 May 2005 on specific provisions for the protection of persons with
regard to the processing of personal data in the electronic communications sector
Application of law in practice
Although very little identity theft case law exists/is available in Luxembourg, it seems that
most identity theft incidents should be covered under present legislation. For example,
using falsified identity documents would likely constitute: a violation of data protection
laws; forgery related to identity documents; illegal access to information systems and illegal
data interference.
Reporting Mechanisms
There is neither a specific website dedicated to reporting of identity thefts in Luxembourg
nor any other specific off-line reporting mechanism. The victims of identity theft are
required to go through official channels. In this respect, they have the three following
options: They can file a criminal complaint at the offices of the Luxembourg Police Force;
victims can either file a criminal complaint with the Public Prosecutor (‘Procureur d’Etat’)
or the competent Examining Magistrate (‘juge d’instruction’); or finally, victims of identity
thefts may also introduce a civil action before Luxembourg criminal or civil courts,
provided that they know the identity of the defendant. In addition, it is worth mentioning
the works undertaken by CASES (www.cases.lu), which is a service of the Luxembourg
Ministry of Economy and Foreign Trade. This service aims at increasing awareness of the
risks relating to computer systems and information networks among administrations,
companies and citizens.
65
RAND Europe & time-lex
Chapter 7 Country Summaries
Concluding Comments
Globally, it seems that the legal framework for combating identity theft incidents in
Luxembourg is sufficiently comprehensive. The highly comprehensive information
broadcasted by CASES in relation to cybercrime and identity thefts can also be considered
a positive development. However, there is no single point of contact, online or off-line,
dedicated to reporting identity theft. Victims of identity theft are required to go through
official channels (ie, especially registering a complaint with local police offices). This
process is still relatively non-transparent to victims, and follow-up to such complaints can
be slow, depending on the availability of resources of the investigating magistrates. identity
theft does not appear to take a high priority in investigations, except in cases of clear and
significant harm to the victim.
7.23
Malta
To date there is no legislation in Malta that explicitly regulates ‘identity theft’ as a specific
sui generis offence or contravention, or for that matter, which provides any express
definition or sanctions for such a specific crime. Therefore, at present, in the event that an
incident of identity theft occurs, legal action may be pursued under Maltese law only if the
incident may be deemed to constitute or form part of another offence at law (or if it is
deemed to be ‘preparatory works’ of such other offence or for instance, ‘conspiracy’ to
commit such other offence).
Other Laws that may apply to ID theft incidents
•
•
•
•
•
•
Criminal Code (eg, Chapter 9, Article 308)
The Maltese Constitution
The Data Protection Act
The Electronic Communications (Personal Data And Protection of Privacy)
Regulations
The Electronic Commerce Act
The Identity Cards Act
Application of law in practice
There are a number of examples of prosecutions for identity theft in Malta. For example
there are several judgements relating to fraud by persons using the credentials of another
person. Also there are judgements relating to the use of falsified documents to unlawfully
apply for social benefits.
Reporting Mechanisms
In Malta there is no website reporting mechanism exclusively focused on identity theft.
However the general reporting site www.polizija.gov.mt would cover the reporting of such
incidents. This website is an e-government initiative focusing primarily on the reporting by
any person whatsoever of any criminal acts and on the provision of information to the
police about ongoing criminal activity or suspected criminal activity. The portal is
managed by the Malta Police Force. The scope of the portal is not focused purely on
identity theft incidents but is rather a tool which applies to all types of crimes including
offences which, as discussed above, could also constitute or include elements of identity
theft and which are not necessarily Internet-related crimes.
66
RAND Europe & time-lex
Chapter 7 Country Summaries
Concluding Comments
Generally, the Maltese legislative framework is broad enough to permit incidents of
identity theft to be prosecuted in Malta as the Malta Police Force Cyber Crime Unit (and
possibly the Office of the Data Protection Commissioner) will normally prosecute such a
crime under another specific offence in terms of law. Indeed, the practical and technical
difficulties to follow up and investigate such incidents, to collect evidence and to take
action in such cases are several and undoubtedly the cross-border nature of such crimes
remains one of the major obstacles related to their successful prosecution. On a separate
note, increased efforts are required to educate Maltese Internet users (especially consumers
and children) of the possible dangers which may exist online with respect to Identity
Theft. At present there appears to be no online tool which serves to provide clear, userfriendly information to such Internet users and thus the execution of an ongoing online
campaign is recommended.
7.24
The Netherlands
No legislation has been introduced in the Netherlands that focuses explicitly on identity
theft as a specific crime, or that defines such a crime. In practice, identity theft incidents
are combated using the general provisions below (in relation to personal data protection,
fraud, forgery, hacking etc.). No such legislation is currently under consideration to our
knowledge.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (eg, Article 255)
Law of 6 July 2000 protecting personal data
Law of 19 October 1998 on telecommunication
Application of law in practice
There are some notable examples of case law related to identity theft in the Netherlands.
For example, in respect to phishing, the case of the Amsterdam Court of 28 May 2003
regarding a Nigerian scam where people were tricked by email. The suspect was convicted
for money laundering, involvement in a criminal organization, fraud, forgery and
possession of forged travel documents to a fine of 411.440 EUR and 4 years and six
months of imprisonment.
Reporting Mechanisms
CMI, the Central Reporting and Information Point for Identity fraud and Identity errors
(Centraal
Melden
Informatiepunt
Identiteitsfraude
en
–fouten
http://www.overheid.nl/identiteitsfraude) is an initiative of the Dutch government. The
purpose is to assist and advise citizens confronted with identity fraud or mistakes in the
registration of personal data. The website provides information in regard to prevention of
abuse, warning signs that can indicate abuse and an extensive FAQ-list. Inquiries can be
made via a contact sheet that will be answered by email. Once a victim becomes aware or
suspects identity fraud CMI will advise on appropriate actions to undertake, and will
provide follow-up information to the victim. Apart from CMI, several other sites play a
mainly informative role with respect to identity theft, including notably GOVCERT.NL
(http://www.govcert.nl/).
67
RAND Europe & time-lex
Chapter 7 Country Summaries
Concluding Comments
Globally, it seems that the legal framework for combating identity theft incidents in the
Netherlands is sufficiently comprehensive, as there do not appear to be any examples of
identity theft incidents which are not covered under present legislation. The establishment
of a reporting site for identity theft (the aforementioned CMI portal) can be considered a
positive development. Also, starting April 2010 the Netherlands have organized a
Knowledge centre Cybercrime (‘Kenniscentrum Cybercrime’ ). This centre will record all
case law regarding cybercrime and will supply the judges and clerks with practical and
judicial information on cybercrime. Crucial challenges include facilitating and streamlining
collaboration with the private sector (where much of the identity theft incidents originate),
and improving policy attention to the correction of errors introduced into official identity
databases as a result of identity theft.
7.25
Poland
No Polish legislation focuses explicitly on the identity theft as a specific punishable act, nor
does it define the deed as such. The identity theft is therefore combated with general
provisions listed below (as a data protection infringement, fraud, etc.). No legislation in
the area is currently under consideration either.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (Article 286 Section 1)
Act of August 29, 1997 on the Protection of Personal Data
Telecommunications Law 16 July 2004
Application of law in practice
There are several examples regarding the claiming of a false identity online, in which the
Data Protection Ombudsman has directed victims towards law enforcement agencies, after
which the Ombudsman lost track of the cases and the outcomes were unfortunately not
reported to the wider audience.
Reporting Mechanisms
No specific online identity theft reporting mechanisms exist in Poland. Instances of
identity theft may be reported to the police (no online applications facilitating this process
are available) or the Data Protection Ombudsman. In the latter case a victim may file a
complaint electronically (at http://www.giodo.gov.pl/432/id_art/2096/), yet to do this
effectively the complaint must be signed with a secure electronic signature (roughly
equivalent to an advanced electronic signature) verified with a qualified certificate. In the
case of damage done to a financial account, identity thefts are reported to the financial
institutions, predominantly by phone. Cooperation between those institutions and law
enforcement agencies is determined by each of those institutions separately.
Concluding Comments
It is hard to assess the scope and scale of identity theft in Poland, as no relevant statistics
have been made available; in all likelihood, no such statistics have been collected.
According to the assessment of the Data Protection Ombudsman, victims most often refer
to law enforcement agencies directly, without involving the data protection agency. Those
cases are hardly ever publicized.
68
RAND Europe & time-lex
Chapter 7 Country Summaries
Even though, therefore, the picture is very incomplete and instances of identity theft are
not exceptional, in most of the cases they have not seemed to involve significant damage to
their victims. There are several possible justifications contributing to this situation. First,
the multifaceted legal framework provides for a comprehensive legal protection, both
preventive (data protection legislation) and repressive (data protection and criminal
legislation). Second, the demanding standard of data protection law, combined with the
efforts of the Data Protection Ombudsman to control personal data processing systems
make leakages of personal data from computer systems relatively uneasy. Third, the
damage done as a consequence of an identity theft is also alleviated by the proliferation of
protection tools implemented by potential co-victims of the most serious identity theftrelated misdeeds, ie, financial institutions. Finally, data subjects generally handle their
personal information more carefully (especially login details to financial assets) when
carelessness may cause serious damage to their interests.
7.26
Portugal
Portugal has a long tradition in the enactment of computer crime protection. In fact,
Portugal has had since 1991 a legal framework to be applied to computer criminal actions
(Computer Crime Law – this act followed the minimal list of the Recommendation (89)9
of the European Council). In 1998, it has been set out a new computer crime: computerrelated fraud (as the scope of the protection is mainly the property, the Portuguese
legislator considered that this crime should be included in the Penal Code and not in the
Law 109/91). Recently, the Cybercrime Law (Law no. 109/2009) revoked the 1991 legal
framework and has transposed the Council Framework Decision 2005/222/JHA of 24
February 2005 on attacks against information systems. This act introduced a specific rule
in order to condemn and punish some identity theft incidents. Also, this act includes the
specific criminalisation of traditional criminal acts produced by electronic means and thus,
being a special law, it leads to the non-application of general rules of the Penal Code.
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (Article 217)
Cybercrime Law
Data Protection Law
Application of the law in practice
Several cases of unlawful use of another person’s credentials have been decided, namely in
relation to computer fraud (an emblematic decision of the Supreme Court was issued in
2000). The Supreme Court has also ruled on a number of cases involving falsified identity
documents (not in relation with electronic documents), and in general these decisions were
combined with the sentence for fraud.
Reporting Mechanism
No specific platforms for identity theft reporting have been issued. However, it can be said
that, in general, such practices are reported to the Polícia Judiciária (this police authority
has defined and autonomous police department acting on the area of high-technology,
including computer-related crimes). Furthermore, CERT.PT has been promoting the
creation of a national network of CSIRTs and other security points of contact by
69
RAND Europe & time-lex
Chapter 7 Country Summaries
concluding formal agreements with relevant stakeholders. In this context, CERT.PT has
formal agreements with major national ISPs and criminal investigation authority (Polícia
Judiciária) and it is also a primary point of contact. Finally, ANACOM (Telecoms
regulatory authority) and ‘Comissão Nacional de Protecção de Dados’ (Data Protection
Authority) are also entities receiving requests from the public, but their role in case of
criminal issues is to send these cases to the Ministério Público (Public Prosecutor) or to
Polícia Judicária.
Concluding Comments
Globally, it seems that the legal framework for combating identity theft incidents in
Portugal is sufficiently comprehensive, as no examples of identity theft incidents, which are
not covered under present legislation, appeared in reality. Furthermore, the revision of the
1991 Computer Crime Law by the 2009 Cybercrime Law allowed to more concretely
penalise some actions within the sphere of identity thefts, namely by a wider wording of
article 3 (Computer-Related Forgery). On the enforcement side, the launch of centralised
systems allowing a clear and swift mechanism of complaints is still lacking.
7.27
Romania
The Romanian legislation does not provide for an incrimination per se of the identity theft.
The current legislation does not explicitly focus on identity theft as a specific crime, and
does not provide a definition thereof. However, identity theft incidents are covered in
practice by the provisions of the legislation mentioned below (regarding personal data
protection legislation, fraud, forgery and computer-related crimes). To our knowledge, no
specific legislation regarding identity theft is currently under consideration.
Other laws that may apply to ID theft incidents
•
•
•
•
Romanian Criminal Code of 1997 (Article 215)
Title III on Preventing and Fighting Cyber-Crime of Law no. 161 of 2003
Law no. 677 of November 21, 2001 for the Protection of Individuals with regard
to the Processing of Personal Data and the Free Movement of Such Data
Law no. 506 of 2004 on Data Processing and the Protection of the Private Life
within Electronic Communication Sector as amended in 2009
Application of law in practice
There are several examples in case law of identity theft-related incidents, For example, in a
recent case, the perpetrators were convicted for breaking the accounts of several persons
with E-bay accounts, posting false messages determining the victims to sent money for
items which never existed. The perpetrators were sentenced to imprisonment for three and
a half years for computer-related fraud, fraud, and illegal access to information systems.
Reporting Mechanisms
Through the website eFrauda.ro, complaints about Internet fraud and cyber crimes, and
also about spam and spyware, are collected. The website provides for the applicable
legislation and gives a few recommendations on how to deal with Internet crimes. The
website was intended as a tool in order to promptly and directly communicate the
complaints regarding Internet crimes, such as phishing, Internet fraud, to Romanian
government agencies which investigate and take action against such crimes. The website
70
RAND Europe & time-lex
Chapter 7 Country Summaries
was launched in 2004, and was updated for a couple of years. Currently the website is not
working. The victims of computer-related crimes, including identity theft, phishing,
Internet fraud, etc. have to file criminal complaints with the local police. Other websites
play an informative role, including http://www.cybercrime.ro/ and http://cert.org.ro/.
Concluding Comments
Although the identity theft is not expressly incriminated in the Romanian legislation, the
current provisions cover almost all incidents regarding identity theft. One of the
weaknesses of the current system is the inoperability of eFrauda, or of another website
through which incidents regarding identity theft and other computer-related crimes can be
reported directly to the authorities empowered to investigate and sanction such incidents.
The establishment of a contact point for reporting Internet crimes would have a positive
effect in the fight against such crimes. Such a reporting site is a necessity given that in most
cases the victims of such crimes can be located all over the world, and filing an official
complaint with the local police where the perpetrator is located may become difficult.
Most of the incidents which are investigated and punished regard identity theft in the
context of phishing, Internet fraud and cloning of credit cards. Incidents like claiming a
false identity on-line are rarely reported and investigated.
7.28
Russian Federation
The laws of the Russian Federation currently in force do not have any legal norms
explicitly focused on identity theft as a certain type of crime, or containing a legal
definition of such crime. In existing legal practice in the Russian Federation, identity theft
cases are handled with the use of common legal norms applicable to actions listed below
(with regard to personal data protection, forgery, fraud, etc.) To the extent of our
knowledge, so far no draft laws of this nature were submitted for consideration to the State
Duma of the Federal Assembly of the Russian Federation.
Other laws applicable to identity theft incidents
•
•
•
•
•
Criminal Code of the Russian Federation (eg, Article 159)
The Federal Law on information, information technologies and protection of
information
The Federal Law on personal data
The Federal Law on communication
Administrative Code of the Russian Federation
Application of law in practice
There are a number of examples in case law of incidents related to identity theft,
particularly with regard to the use of false identity to commit fraud, digital identity theft,
use of spyware that causes unauthorised copying of users’ data, and the sale by third parties
of personal databases.
Reporting Mechanisms
The mechanisms for solving hi-tech crimes, identity-related crimes and identity theft
crimes in particular are the same as those applied for all the other crimes. The Russian
Ministry of Internal Affairs (MIA) incorporates a ‘K’ Department and its regional
departments in the Ministries of constituents. Among other things, this department deals
71
RAND Europe & time-lex
Chapter 7 Country Summaries
with computer data crimes and illegal acts in the Internet, as well as other informationtelecommunication networks (including digital identity theft).A general law-enforcement
portal, www.112.ru, was created to simplify the process of submitting a statement on a
crime or violation. The portal serves as a point of contact for reporting any crimes using
standardised user-friendly forms. It should be noted that this is a general purpose portal,
and does not focus on identity-related crime in particular.
Concluding Comments
On the whole, we could say that the Russian legislation related to counteracting identity
theft is quite comprehensive, since there have not been any cases of identity theft not
covered by the existing legislation. However, law enforcement in Russia also has several
shortcomings. For example, in order to submit a claim about a crime or violation to the
regional MIA, the claimant needs to make certain effort and overcome a number of
obstacles of bureaucratic nature, which also takes time. This is why if the damage is
insignificant, not every injured party will proceed with the claims. The Russian Federation
lacks a unified portal (website) or unified system of interactive points of contact with a
user-friendly interface that would ensure quick submission, registration and follow-up of
statements on crimes and violations in the areas of computer data, information systems,
communications, Internet and other networks, including identity theft.
7.29
Slovakia
No legislation has been introduced in Slovakia that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
fraud, etc.). No such legislation is currently under consideration to our knowledge.
Instead, the policy emphasis in Slovakia is more on improving awareness of identity theft
risks with potential victims and law enforcement bodies.
Other laws that may apply to ID theft incidents
•
•
•
•
Criminal Code (Article 221)
Articles 247 para 2, Article 196 para 1b or 1c and Article 376 and partially Article
264 of Criminal Code
Act of 3 July 2002 no. 428/2002 Coll. on Protection of Personal Data as amended
Law of 3 December 2003 No. 610/2003 Coll. on electronic communications as
amended
Application of relevant laws in practice
There are several instance of case law application. For example, specifically in relation to
using a third party’s stolen credit card. In April 2005 the perpetrator established an email
account on AZET in the name of his ex-girl friend. Through this email account he sent a
large-scale messages to her colleagues containing untrue, discommended and traduced
information about victim. Apart from the root of case (action of perpetrator was qualified
as vilification) there were interesting findings related to this case arised from the
investigation. Offender was criminally sanctioned with fine 20.000 SKK and the victim
received 120.000 for the damages in a civil proceedings. There were other examples of case
law that were applied to various kinds of identity theft incidents.
72
RAND Europe & time-lex
Chapter 7 Country Summaries
Reporting Mechanisms
No websites, hotlines or portals dedicated exclusively to identity theft neither exist nor are
planned. Also there is no website focusing on cybercrime, identity theft or fraud in general
in Slovakia.
Concluding Comments
Globally, it seems that the legal framework for combating identity theft incidents in
Slovakia is sufficiently comprehensive, as there do not appear to be any examples of
identity theft incidents which are not covered under present legislation. Therefore the
actual problem in combating identity theft and cyber crime in general is not in a
substantive law but in procedural criminal law in Slovakia. The first specific procedural
problem is concerning the electronic evidence and by the fact that this kind of evidence is
often located in computers located abroad. This creates on the one hand certain difficulties
when determining which court has jurisdiction and on the other hand the nature and
location of electronic evidence requires the highest possible degree of international
cooperation. Other procedural problem is very difficult way how to obtain electronic
evidence and if it is already there is no provision on how electronic evidence must be
considered and evaluated by the court and therefore the judges apply the same rules that
they use for any other type of evidence. Further procedural problem is that the long lasting
traditional investigation instruments will very hardly lead to successful investigation of
cyber crime incidents. Further problem why the cyber crime and ID theft is not combating
effective is very low technical knowledge of judges, prosecutors and lawyers to understand
technical questions. Lawyers are also not able to understand very complicated language
used in the expert´s reports. Therefore training and education on electronic evidence and
combating cyber crime is thus essential to keep independent the judicial decision. There
are of course many other procedural problems related to electronic evidence which arise
from very specific nature of electronic evidence.
7.30
Slovenia
In 2008, the new Criminal of the Republic of the Republic of Slovenia (in Slovene:
Kazenski zakonik, Official Gazette No. 55/08, 66/08, 39/09, 55/09,
http://zakonodaja.gov.si/rpsi/r00/predpis_ZAKO5050.html, hereinafter KZ-1) was
adopted that explicitly defines identity theft as a criminal act, in its Article 143 §4, when
‘someone assumes the identity of another person and under its name exploits his rights,
gains property benefits or damages their personal dignity’. Violation of this provision can
be criminally sanctioned with imprisonment between three months and three years and, if
committed by an official through the abuse of office or official authority, even up to five
years (Art. 143, §4 and §5).
Other laws that may apply to ID theft incidents
•
•
•
Criminal Code (Kazenski zakonik) , hereinafter KZ-1 (eg, Article 211)
Personal data protection Act (Zakon o varstvu osebnih podatkov), hereinafter
ZVOP-1
Electronic Communications Act (Zakon o elektronskih komunikacijah), hereinafter
ZEKom
73
RAND Europe & time-lex
•
Chapter 7 Country Summaries
Identity Card Act (Zakon o osebni izkaznici), hereinafter ZOIzk and Passports of
the Citizens of the Republic of Slovenia Act (Zakon o potnih listinah), hereinafter
ZPLD-1
Application of relevant laws in practice
There are several instance of case law application. For example, The Information
Commissioner investigated a case of illegal transmission of personal data between two
insurance companies. Personal data of 2300 individuals was sent from one insurance
company to another, and used by the latter for direct marketing. Sending of data by the
first insurance company and use of these data by the second was performed without the
necessary legal ground. The first insurance company was fined 112.000 EUR and its
responsible person 20.000 EUR, whereas the second company was fined 108.000 EUR
and its responsible person 20.000 EUR, both for violation of the Personal Data Protection
Act. One of the companies appealed to the court, whereas the second one paid the fines
without appealing. There are other examples of the application of the law that relate to ID
theft incidents.
Reporting Mechanisms
There is no special reporting mechanism to the police dedicated exclusively to identity
theft or cybercrime. People can use the main general reporting mechanisms. Whenever
citizens require police assistance, they can call the 113 emergency number. Emergency calls
are received and recorded by the deputy shift manager of the operation and
communication centre at the regional police directorate. To increase police cooperation
with citizens, and thus also the effectiveness of such cooperation, the Operation and
Communication Centre introduced a toll-free anonymous telephone number. There is also
the e-government portal, where a report of the incident can be submitted to the Ministry
of Interior. Also, if an individual believes his right to personal data protection has been
breached, or that his data was not processed lawfully, he/she may request the Information
Commissioner's opinion on the matter.
Concluding Comments
In Slovenia in general it seems that the legal framework for combating identity theft is
sufficiently covered to deal with identity crimes. The main responsibility remains at the
user side and the service provider side to take all possible measures to prevent such crime.
Raising awareness on both sides should be the focus of the relevant institutions at the
national as well as at the EU level. There are number of initiatives at the national level
addressing information security issues, targeting different groups of users (for example,
educating children). Moreover, in Slovenia, identity theft victims can report the incident
through different channels and institutions easily, as described above. However, in
comparison to some other countries, general reporting sites (following one stop shops or
portal models) with the Police and other relevant institutions are still missing.
7.31
Spain
Incidents related to identity theft are combated using the general provisions mentioned
below (in relation to personal data protection, fraud, forgery, etc.) together with more
specific provisions included in the Criminal Code. Furthermore, the Parliament is now
debating the reform of several articles of the Criminal Code, some of them including and
74
RAND Europe & time-lex
Chapter 7 Country Summaries
enlarging specific references to unlawful activities related to access violating security
measures, unlawful use of information systems and graduation of the damage/harm that
has been caused. The bill currently under discussion was presented on November 2009
and at the moment of drafting this report it was in the amendments term at the ‘Congreso
de los Diputados’ (Lower House), before being transferred to the Senate (Upper House).
Other laws that may apply to ID theft incidents
•
•
•
•
Criminal Code (eg, Article 399bis)
Organic Law 15/1999, of 13 December 1999, of personal data protection;
General Telecommunications Law 32/2003 of 3 November;
Organic Law 1/1982 of 5 May, of Civil protection of the rights to honour,
personal intimacy and own image;
Application of relevant laws in practice
Please note that in Spain, when an incident may be considered as a criminal offence, it is
not (or no longer) seen also under the perspective of an administrative infringement (eg,
violation of the data protection law is not considered as an administrative infringement
when criminal law also applies). Besides, an incident where several offences are committed
is only condemned for the most important one. There are several examples of case law
application.
Reporting Mechanisms
In Spain, there are two national security forces involved in the investigation and fight
against identity crimes: the Civil Guard (Guardia Civil), with competences in villages of
less than 20.000 inhabitants, and the National Police (Cuerpo Nacional de Policía), with
competences in villages with more than 50.000 inhabitants or where there is a high level of
conflicts. In addition, there are some regional police bodies, especially in Catalonia and
Basque Country, with competences in cases where the offence takes place in those regions
or fall within the competences of the national police forces. All of them give
recommendations on how to prevent potential security risks and how to behave while
getting in contact with other people through the Internet.
Concluding Comments
In Spain ID theft is not considered as an offence itself (with the notable exception of the
crime of the person who usurps the civil status of somebody else), but rather as a means to
commit a civil or criminal (or administrative) offence, on-line or off-line. In general, the
unlawful use of someone else’s identity is prosecuted when the events seek to get an
economic benefit, to cause an economic damage to the victim or someone else or to cause a
personal harm to the victim. The qualification and condemnation applied depends on the
result finally obtained or the means employed to get those results (fraud, forgery...);
incidents are mainly prosecuted under personal secrets disclosure, computer-related fraud,
offences against intimacy or moral integrity.
7.32
Sweden
Sweden has not introduced any legislation that focuses explicitly on identity theft as a
specific crime, or that defines such a crime. In practice, identity theft incidents are
combated using the general provisions below (in relation to personal data protection,
75
RAND Europe & time-lex
Chapter 7 Country Summaries
fraud, etc.). No such legislation is currently under consideration to our knowledge, though
the risks have been emphasised by various Swedish authorities, including the Swedish Data
Inspection Board (Datainspektionen) and the Swedish Post and Telecom Agency (PTS).
Other laws that may apply to ID theft incidents
•
•
•
Penal Code (Brottsbalk (1962:700)) (eg, Chapter 9 Section 2)
Personal Data Act (Personuppgiftslagen (1998:204))
Electronic Communications Act (Lag (2003:389)
Application of relevant laws in practice
There have been several examples that demonstrated the application of relevant case law.
In 2008, the district court in Växjö decided in a case, in which somebody accessed a social
networking site with another person’s login credentials and altered information on that
person’s profile in a derogatory way. The perpetrator was convicted for illegal access and
sentenced to a fine and compensation for damages. In another case, a Swedish Appellate
Court decided in 2002 that the use of someone else’s username and password for Internet
access constituted computer-related fraud. In another, more recent, case from the district
court in Göteborg in 2008, a person ordered goods online by using false names and email
addresses. He was convicted for compensation for damages as well as imprisonment for 2
months.
Reporting Mechanisms
There are no official specific reporting or follow-up mechanisms in Sweden with regard to
incidents of identity theft. Though the police, as the common first contact point, provide
general information about Internet security and potential crimes related to that, there are
no particular initiatives regarding identity theft. The Swedish Post and Telecom Agency
(PTS)75, as the supervisory authority with regards to electronic communications, has taken
a leading role with regard to Internet security and the general awareness of risks in an
electronic environment. In addition, the Swedish Data Inspection Board
(Datainspektionen)76 ensures the compliance with data protection legislation in Sweden by
monitoring lawful processing by organisations and companies and informing the general
public about privacy rights. The Swedish Consumer Agency (Konsumentverket)77 is also
involved in increasing the general public’s knowledge on Internet security and risks in ecommerce and online behaviour.
Concluding Comments
Although Swedish law does not explicitly contain provisions on identity theft, the legal
framework seems to cover all possible situations of these incidents. identity theft often
involves other criminal behaviour and will therefore be covered by traditional rules on data
processing, fraud, forgery, or illegal access to information systems. This encompasses,
however, using the traditional channels of the police. The Swedish police offer online
reporting for crimes, but these only include theft of vehicles or other property.78 In general,
75
http://www.pts.se
76
http://www.datainspektionen.se/
77
http://www.konsumentverket.se/
78
http://www.polisen.se/sv/Utsatt-for-brott/Gor-en-anmalan/Anmalan-via-Internet/
76
RAND Europe & time-lex
Chapter 7 Country Summaries
several public authorities are involved in initiatives on Internet security, which include
issues of identity theft to a varying extent. Although identity theft incidents have been
considered an increasing problem in the media, no specific campaigns have been launched
to support individuals with specific information in this regard.
7.33
United Kingdom
No legislation has been introduced in the UK that focuses explicitly on identity theft as a
specific crime, or that defines such a crime in those terms. In practice, identity theft
incidents are combated using the general provisions. There is much scope for ambiguity in
what different people mean by the term ‘identity theft’. The UK has helpfully sought to
separate out the terms identity crime, identity theft and identity fraud
(http://www.identitytheft.org.uk/identity-crime-definitions.asp).
Other laws that may apply to ID theft incidents
•
•
•
•
•
•
Computer Misuse Act 1990 (as amended by the Police and Justice Act 2006)
Computer Misuse Act 1990
The Data Protection Act 1998
Regulation of Investigatory Powers Act 2000
Fraud Act 2006
Identity Cards Act 2006
Application of relevant laws in practice
In most cases, claiming a false identity on-line, unlawfully using another person’s
credentials, phishing, using spyware to obtain identity information, trafficking in
unlawfully obtained information is considered illegal and one of the appropriate acts
applies if there is a violation of the data protection act, since the personal information
would be unlawfully processed; violation of communication secrecy laws, if the personal
information contained date related to electronic communication (like email addressed, IP
addressed, etc.) as well as other specific requires listed in the individual acts apply. No
known case laws were identified.
Reporting Mechanisms
To facilitate the reporting and effective follow-up of any fraud (including electronic
identity theft), a general reporting site called Action Fraud was established
(http://www.actionfraud.org.uk/). The site acts as a single contact point, through which
any offline or Internet-based crime incidents (eg, phishing) can be reported using
standardised forms, with interfaces currently being available only in English. The questions
that potential crime-reporters are asked prioritise for investigation frauds in progress, by
asking if the subject of the report is ‘actually happening now, or are you or someone else at
risk of immediate harm?’ Others are collated for intelligence picture purposes and may be
investigated later if resources allow and successful prosecution looks likely. Questions are
asked about the Fraud Type; the Victim; the Suspect; Money; Fraud Details; and Fraud
Impact and Support. It is also possible to report a fraud using telephone.
Concluding Comments
Globally, it seems that the legal framework for combating identity theft incidents in the
UK is sufficiently comprehensive, as there do not appear to be any examples of identity
77
RAND Europe & time-lex
Chapter 7 Country Summaries
theft incidents which are not covered under present legislation. The establishment of a
contact point for reporting Internet and offline frauds (the aforementioned Action Fraud
portal) is a positive development. None the less, there are also a few weaknesses. First,
public resources in investigating identity-related crimes remain modest, even though the
inclusion of some such offences within the British Crime Survey and UK police focus on
victims’ perceptions of harm and fear gives such offences a higher profile than in the past.
Secondly, the investigation of incidents remains complicated in practice, especially in cross
border cases. Even when clear evidence of an identity theft incident can be found (eg, a
fake profile on a social networking website through which false information is being
spread), it can often prove difficult to convince the website operators to take the offending
information off-line, and even harder to obtain information from the operator that would
make it possible for police to investigate the crime further (eg, IP addresses or mail
addresses used by the offender).
7.34
United States
In 1998 Congress passed the Identity Theft and Assumption Deterrence Act,79 which
amended the United States Code (18 U.S.C. § 1028(a)(7)) to make it unlawful for anyone
to ‘knowingly transfer or use, without lawful authority, a means of identification of
another person with the intent to commit, or to aid or abet, any unlawful activity that
constitutes a violation of federal law, or that constitutes a felony under any applicable State
or local law.’ With this act the US has provided an explicit definition of identity theft.
However, not only the federal legislators but also state legislators have passed specific laws
explicitly criminalizing identity theft.
Other laws that may apply to ID theft incidents
•
•
•
•
•
•
Title 18 U.S.C (eg, Section 1028 – Articles 1-7)
Electronics Communication Privacy Act (ECPA)
Federal Trade Commission (FTC) Act
Gramm-Leach-Bliley (GLB) Act
Fair Credit Reporting Act (FCRA)
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
(CAN-SPAM)
Application of relevant laws in practice
There are examples in case law of prosecutions of identity theft offences. For examples, in
case of phishing, United States v. Goodin, U.S. District Court, Central District of
California, 06-110: Jeffrey Brett Goodin violated federal law by sending Internet Service
Provider America Online users thousands of unsolicited emails that falsely purported to be
from the AOL Billing Department. With these messages Mr Goodin prompted the
receivers to update their personal and credit or debit card information. These spam emails
were sent from fraudulently created email accounts and contained weblinks to false AOL
webpages, which in turn contained computer code directing the provided information to
79
U.S. Congress’ Identity Theft and Assumption Deterrence Act of 1998 (Public law 105-318, 112 Stat.
3007-3012).
78
RAND Europe & time-lex
Chapter 7 Country Summaries
email accounts controlled by Goodin. He then used the information to make unauthorized
purchases, On June 11, 2007, petitioner Jeffrey Goodin was sentenced to a total of 70
months of imprisonment. The judgment was affirmed by the Ninth Circuit on December
17, 2008.
Reporting Mechanisms
There are several reporting tools available in the US. The most important and central one
however is the FTC’s ID Theft Complaint Form, that can be filled out online (at
www.ftccomplaintassistant.gov/) or by phone, using the toll-free Identity Theft Hotline.
This tool covers both online and offline identity theft, and victims can choose between
filling it out anonymously (however, losing out on some of the benefits described below),
or under their name. The advantages of filing a complaint with the FTC are in general that
the information is shared with the FTC attorneys and investigators, and is entered into the
electronic database, which provides information for the FTC’s reporting on identity theft,
and can be searched by law enforcement agents for their criminal investigations.
Concluding Comments
The legal framework for combating identity theft in the US seems in general sufficiently
comprehensive, and there appears to be no major legislative gap with respect to the
examples of identity theft incidents. Nevertheless, there is not one comprehensive law
governing privacy and data protection in the US. Rather a set of provisions apply to
specific aspects of it. The awareness about the importance of the issue seems high as
illustrated by the introduction of a separate criminal offence and legal definition by the
Identity Theft and Assumption Deterrence Act, the establishment of the President’s Identity
Theft Task Force to provide strategic guidance and recommendations on the issue, and the
wide range of both governmental and non-governmental websites that provide information
on identity theft. A comprehensive ‘one-stop-shop’ reporting mechanism is, however, still
missing, although the FTC’s webpage plays a key role in this respect.
79
CHAPTER 8
Analysis
The legal perspective: a comparative overview of legislation
8.1
8.1.1
Legislation focusing explicitly on identity theft
One of the first questions examined in the national profiles was whether specific legislation
criminalising identity theft as such or introducing any such concept existed. The majority
of the countries covered did not yet have such legislation; in other words, in most of the
countries there is no crime of identity theft as such. Instead, these incidents are punished,
depending on the circumstances, by other provisions addressing, for example, privacy law,
fraud, forgery, etc.
In a smaller number of jurisdictions, however, there are specific crimes aimed at punishing
perpetrators of identity theft. In some of these countries identity theft is only defined as a
separate crime when the relevant actions result in other offences, while in others identity
theft is completely autonomous in the sense that no other illegal acts are required for it to
be punishable.
As was already noted above, in Canada,
Canada the Criminal Code (as amended by the Bill S-480,
which entered into force on 8 January 2010) covers identity-related crimes. In particular,
under Section 402 it criminalizes the actions of anyone who:
•
Knowingly obtains or possesses another person’s identity information in
circumstances giving rise to a reasonable inference that the information is
intended to be used to commit an indictable offence that includes fraud, deceit or
falsehood as an element of the offence.
•
Transmits, makes available, distributes, sells or offers for sale another person’s
identity information, or has it in their possession for any of those purposes,
knowing that or being reckless as to whether the information will be used to
commit an indictable offence that includes fraud, deceit or falsehood as an
element of the offence.
The notion of ‘indictable offence’ in this law refers to any of the following: forgery of or
uttering a forged passport; fraudulent use of a certificate of citizenship; personating a peace
80
S-4 An Act to amend the Criminal Code (identity theft and related misconduct), 40th Parliament – 2nd
Session (Jan. 26 2009 – Dec. 30 2009). As of 26 January 2011:
http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&Session=22&query=5778&List=toc
80
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
officer; perjury; theft, forgery, etc., of a credit card; false pretence or false statement;
forgery; use, trafficking or possession of a forged document; fraud; and identity fraud.
‘Identity information’ is defined as information ‘commonly used alone or in combination
with other information to identify or purport to identify an individual.’ Examples of such
information include: name; address; date of birth; written; electronic or digital signature;
Social Insurance Number; health insurance or driver’s license number; credit or debit card
number; number of an account at a financial institution; passport number; username or
password; fingerprint or voice print; retina or iris image; and DNA profiles.
This is an offence for which the Criminal Code foresees two alternative sanctions:
prosecution as a) an indictable offence with imprisonment of no more than 5 years, or b) a
summary conviction punishable by a fine of no more than $5000 or six months of
imprisonment, or both. Additionally, the Code under subsection 738(1)(d) enables the
court to order the offender – as part of the sentence – to pay restitution (covering expenses
incurred to re-establish identity, including the replacement of identity documents and the
correction of credit histories and credit ratings) to a victim.
In Canada, therefore, identity theft may be prosecuted as a crime if it is linked to another
illicit behavior. The Canadian approach can thus be considered an example of a system
where identity theft is treated as a preparatory act for the commission of other crimes (such
as fraud, etc).
France is another interesting example of a country where identity theft has been defined as
a specific crime. The French Criminal Code contains a specific provision for identity theft
(Article 434-23), allowing it to be qualified as crime if two conditions are met:
(1) The thief has to assume the name of another person. However, the use of a false
name that does not correspond to an existing natural person is not covered by this
article.81
(2) The identity theft should lead or might have led to the initiation of criminal
conduct against the victim. This is, for instance, the case if the identity theft
prevents the victim from obtaining a French passport to which he is entitled.82
The wording of this article therefore eliminates from its scope of application a number of
cases where identity theft does not trigger any legal or economic consequence for the
victim. Such acts may, however, still be prosecutable under other qualifications such as
libel or misappropriation of correspondence. Secondary conducts which do not constitute
by themselves a crime will remain unpunished. This is, for example, the case when emails
are used fraudulently by third parties to suggest affiliation of the victim to a political party,
etc. (presuming, of course, that this suggestion could not be qualified as defaming).
In order to address this potential legal vacuum, the creation of a new crime that would
punish identity theft in electronic communications is currently being discussed by the
81
Cour de Cassation, Chambre criminelle, 10 March 2010, N° 09-81.948, not published
82
Cour de Cassation, Chambre criminelle, 26 May 2009, N° 08-87.752, not published
81
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
French Parliament. If approved, the act (known as LOPPSI 283) would introduce a new
article into the Criminal Code. At the time of writing, the text has been approved by both
Chambers in first reading.
Article 2 of LOPPSI 2 would introduce a new article (222-16-1) to the Criminal Code,
worded as follows (according to the version approved by the Parliament on 16 February
2010):
The fact of using on a network of electronic communications, the identity of another
person or data of any kind that allows his or her identification in order to disturb the
peace of that person or another person is punishable by one year of imprisonment and a
fine of €15,000.
Shall be punished in similar terms the fact of making use, on an electronic
communication network, of the identity of another person or data of any kind that
allows his or her identification, in order to affect his/her honour or consideration.
As currently worded, this new concept of identity theft would require two elements:
•
Material element: the use of a third party identity or of any other data allowing his or
her identification on an electronic communication network. This includes the
fraudulent use of emails but also fraudulent posting on blogs or social networking
sites. The proposer of this new provision, MP Eric Ciotti, has clearly indicated that
this article would be intended to punish instances of identity theft that would not
trigger clear economic consequences for the victim, but which may have a less tangible
impact, such as in the case of defamation.
•
Intentional element: this use of an identity or of specific data should aim at disturbing
the peace of a third party or impinging on his or her honour or reputation.
The new article foresees a one-year prison term and €15,000 fine as possible sanctions,
which are increased when the identity theft is committed by a legal person: the amount of
the fine is then raised to €75,000. Legal persons can moreover be dissolved (when the legal
person has been created to perpetuate the crime), and a temporary or definitive prohibition
to exercise, directly or indirectly, the social or professional activity in which the offence has
been committed can be ordered, as well as a placement under judicial supervision or
exclusion or suspension from public procurement (Article 139 of the Criminal Code).
In India too, identity theft is defined as a separate crime, although only the fact of using
somebody else’s identification features (such as a password or electronic signature) is
punished and not, in more general terms, the fact of using the identity of another person
in an online environment. According to Section 66C of The Information Technology Act
2000, as amended in 2009:
Whoever fraudulently or dishonestly makes use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with
83
Loi d’orientation et de programmation pour la performance de la sécurité intérieure (LOPPSI 2); the
preparatory works are available online at (as of 26 January 2011):
http://www.assemblee-nationale.fr/13/dossiers/lopsi_performance.asp
82
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
imprisonment of either description for a term which may extend to three years and shall
also be liable to fine which may extend to rupees one lakh (100,000 rupees).
Coming back to Europe, in Slovenia a new Criminal Code was adopted in 2008 that
explicitly defines identity theft as a criminal act in its Article 143 §4, when:
Someone assumes the identity of another person and under its name exploits his rights,
gains property benefits or damages their personal dignity.
Violation of this provision can be criminally sanctioned with imprisonment between three
months and three years and, if committed by an official through the abuse of office or
official authority, even up to five years (Article 143 §4 and §5).
In Italy,
Italy the situation is comparable to that of Slovenia: while there is no specific provision
dealing with identity theft, there is a generic crime of ‘substitution of person’ (Article 494
of the Criminal Code). This provision, which has been applied by the courts in cases that
could be qualified as offline and online identity theft, says that:
Whoever, in order to secure for himself or others an advantage or to cause damage to
somebody, leads someone in error, replacing unlawfully his person with another’s person
or giving to himself or others a false name or false state or a quality to which the law
gives legal effect, is punished, if the fact is not another crime against the public faith,
with imprisonment up to one year.
In the United States,
States according to the 1998 Identity Theft and Assumption Deterrence
84
Act, which amended the United States Code (18 U.S.C. § 1028(a)(7)), it is unlawful for
anyone to:
Knowingly transfer or use, without lawful authority, a means of identification of
another person with the intent to commit, or to aid or abet, any unlawful activity that
constitutes a violation of federal law, or that constitutes a felony under any applicable
State or local law.
With this act the US has provided an explicit definition of identity theft. However, not
only the federal legislators but also state legislators have passed specific laws explicitly
criminalising identity theft. In California, for example, this is done by Section 530.5 of the
Californian Penal Code, which sanctions amongst others:
Every person who wilfully obtains personal identifying information […] of another
person, and uses that information for any unlawful purpose, including to obtain, or
attempt to obtain, credit, goods, services, real property, or medical information without
the consent of that person.85
Potential sanctions include fines and/or imprisonment for up to one year in a county jail or
in a state prison.
84
US Congress Identity Theft and Assumption Deterrence Act of 1998 (Public law 105-318, 112 Stat. 30073012)
85
See (as of 26 January 2011):
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=528-539
83
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
According to collected country reports, identity theft is expected to be punishable as a
crime in Hungary (from 1 January 2011) and Latvia.
Latvia In Estonia,
Estonia, ID theft is already a
crime pursuant to the local Criminal Code. Inversely, in the Czech Republic,
Republic the
introduction of ID theft as a separate crime was considered during the preparation of a
new Penal Code in 2009, but ultimately no such crime was included when the Penal Code
was adopted.
In summary, six countries (out of the thirty-three examined in this study, and including
three EU Member States) have a specific provision in their legislation dealing with identity
theft. This represents 18 percent of the jurisdictions covered by this study. In another two
countries, ad hoc legislation will come into force in the near future. It is also worth noting
that only two countries have adopted a specific provision dealing with identity theft in an
online environment: Indian legislation has specific rules dealing with the misuse of
somebody else’s identity in the cyberworld, and in France a similar provision has been
approved by the Parliament and will likely enter into force in the near future.
As will be more extensively shown below, these figures do not mean that in only 18
percent of the countries under analysis identity theft incidents can be prosecuted and
punished – or, in other words, it does not necessarily indicate that there is a legal vacuum
to be filled in 82 percent of EU countries – but rather that in the other jurisdictions
different and more indirect classifications must be applied. Furthermore, the fact that a
country has specific legislation dealing with and criminalising identity theft does not imply
that these incidents are prosecuted and sentenced more effectively than in other
jurisdictions.
In fact, the definitions provided above show that there is no uniform understanding of
identity theft in criminal law, with some definitions (eg, the Italian and Slovenian
examples) bearing many of the characteristics of the general definitions of fraud, with the
main unique aspect being that identity is explicitly mentioned as the modality being used
to manipulate the victim. This is an indication that general provisions of criminal law may
be effective as tools to combat identity theft if they are phrased sufficiently broadly. As a
result, it is also debatable whether it is necessary or useful to define specific offences that
apply to identity theft. If other crimes such as fraud, forgery, unlawful data protection or
privacy violations, defamation, etc., would allow punishment to those who steal or misuse
the identity of somebody else, then the definition of separate criminalisations is then not
driven by the need to full a legal vacuum, but rather to define more specific rules that
could be easier to apply in practice, or which could lead to more appropriate sanctions.
However, not all of the definitions above fall into this category. The French example in
particular shows that the new definition presently being considered in Parliament is in fact
driven by a desire to fill a perceived regulatory vacuum, notably to cover cases of identity
theft where there is no clear legal or economic harm for the victim and where no other
effective criminalisation applies. The fact that other countries have not chosen to introduce
similar separate criminal provisions can be seen as an indication that either such vacuums
do not exist within all countries, or alternatively that the specific acts targeted by the
French legislation are not considered sufficiently serious to warrant systematic criminal
prosecution.
84
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
The French example referred to the false suggestion of a victim’s political affiliation in a
falsified email. Other countries might consider this to be either not serious enough to
justify separate criminalisation, or they might argue that this conduct is sufficiently covered
by existing criminal law (eg, telecommunications privacy rules, or even generic data
protection rules). Thus, the main conclusion appears to be that the existence of separate
criminal provisions is justified by the perception of a regulatory vacuum, and that there is
no indication of this perception being shared between the surveyed countries.
Finally, lawmakers are also faced with the challenges of introducing regulations which are
sufficienly broad to apply to harmful activities, while avoiding the risk of formulating them
in a way that could also cover harmless or even societally beneficial speech. One might
consider the (frequently occurring) case of fake celebrity profiles on a social network, where
the user of those profiles merely intends to amuse himself and others, or to deliver societal
criticism (possibly through satire or parody), with no intention of making an illicit profit
or causing harm. Whether such behaviour should be criminal or not (and indeed, whether
it should be considered as identity theft or not) is a policy question which does not have a
universal and clear answer. The possibility of new criminal provisions causing potential
collateral damage to freedom of (lawful) expression should be carefully considered before
introducing regulations. In this sense, the Canadian legislation appears to be more
balanced than some of the other examples mentioned above.
8.1.2
Other offences applicable to identity theft incidents
It has been noted that only few countries, such as Canada, France and the United States,
have defined a crime in their legislation specifically addressing identity theft. Such separate
definitions are clearly the exception rather than the rule at this time, and in all other
jurisdictions identity theft may be punished only if it is part of or connected to another
illicit behaviour. As a result, identity theft will thus fall under a different legal classification.
In the country reports, we focused on four specific categories of crime that are frequently
coupled with identity theft incidents: fraud, forgery, hacking and illegal data interference.
These offences exist in some form in all countries covered by this study (although with
some differences, as we shall explore further below).
The country reports also noted that most instances of identity theft commonly violate data
protection legislation in European countries, since the misuse of identity data violates the
privacy rights of the data subject, at least in cases where identity theft involves the identity
of an existing (non-fictitious) person, and when focusing only on natural persons (ie,
excluding identity theft of legal persons, which is a notion that typically is not considered
with any degree of detail in existing doctrine or jurisprudence). Generally speaking,
identity theft as such is thus also a violation of data protection legislation even if no further
offences are committed, and therefore identity theft can be (administratively or criminally)
prosecuted in those countries where there is no specific crime of ID-theft. In that sense,
data protection legislation can serve as a safety net in the EU when no other classification
applies.
However, it should also be duly acknowledged that this role as a safety net is mainly
theoretical at this time. Data protection rules are only rarely applied to cases of identity
theft in practice, as can been seen in the examined case law, and other criminal provisions
(notably fraud and forgery) play a much greater role. Enforcement of data protection rules
85
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
is thus not likely to be an effective strategy to address identity theft, unless the emphasis on
enforcement of these rules is improved significantly.
Fraud and computer-related fraud
Fraud is punished as a crime in all the countries covered by this study. Generally speaking,
fraud can be defined as the act of using deception with the aim of appropriating somebody
else’s property or to gain a financial benefit to the detriment of somebody else. The
concept of deception may include the use of a false identity or of false pieces of
identification.
Fraud may exist if there are economic benefits for the perpetrator of the crime and/or
economic disadvantages for the victim: the victim generally must suffer economic loss as a
consequence of the fraud. By way of an example: if somebody claims a different identity to
engage in personal contacts with another person without any financial interests, his/her
behaviour will typically not be qualified as fraud (although other qualifications may apply;
eg, in the case of sexual contact initiated on the basis of deceptive identity, this may be
qualified as rape). If the deceptive use of the false identity (alleged or demonstrated
through fake documents) has an economic goal, on the other hand, the case will typically
fall within the borders of fraud.
The victim of the fraud may be a person, a company or a public institution: one of the
hypotheses examined specifically by the country profiles was identity theft in order to gain
illicit social security benefits. Fraud, therefore, is very often linked to identity theft, and
identity theft incidents are commonly prosecuted and punished if they are aimed to
perpetrate a fraud, even if no formal classification of identity theft is (or can be) applied.
Forgery and computer-related forgery
Forgery is also punished in all the countries covered by this study, although there are
differences regarding the nature and the punishment of the crime. Forgery is more related
to identification than to identity86, in the sense that it regards the falsification of official or
private documents, including identity documents such as identity cards, passports, birth
certificates, etc. A qualification as forgery may be applied to an official document (ie,
issued by a public institution or public official) or a private one such as a contract; it may
be perpetrated by a public officer or by a private person.
Depending on the case and the legislation involved, the person committing the crime may
have a financial interest, or the crime may be committed with a view to economically
benefiting third parties. In case of public officers, cases in practice are likely to involve
corruption (which may lead to additional prosecution or higher sentences).
Forgery can be also ICT-related, since it can be committed using electronic credentials
and/or other tools for online identification. In many jurisdictions computer-related forgery
is punished with ad hoc provisions, as the country profiles have shown. This is not
surprising, since computer-related forgery is a part of the Convention on Cybercrime,
86
It is clear, therefore, that there is a conceptual difference between ‘identity’ and ‘identification’: the former is
a characteristic of every individual (or even of a non-personal entity, such as a company or an association) that
makes him/her unique, while the latter indicates the identity of the subject through external means such as
documentation
86
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
which defines this crime explicitly in Article 7; thus, all signatories to this Convention may
be expected to have similar criminal provisions in their legislation.
Hacking
The crime of hacking regards illegal access to information systems, and as such it may be
linked to identity theft when a third party’s identity information (including specific
credentials) is used to access an information system, or when such information is copied or
stolen after a successful hacking attempt. Hacking is an offence in all countries covered by
this study.
However, hacking is a complex crime in the sense that it represents a step forward in
comparison with identity theft: a hacker uses a false identity and/or falsified identification
tools in order to get access to an IT system, with or without a financial motive. In many
countries, hacking can only be punished if the author acted with the aim of gaining a
profit or to cause damage: this applies in Austria, Latvia, Slovakia (where pure access to
information systems without intent to cause damage is not an offence), and Slovenia (thus
in 12 percent of the countries). Elsewhere, the crime of hacking exists only if the author
actually caused damage or altered the functioning of the system: this is the case in France,
Spain and the United States, and in Russia hacking includes also copying the output of
computer systems and networks. Finally, in some other jurisdictions, including Greece,
Lithuania and India, hacking may be punished only if the perpetrator unlawfully accesses a
secured computer system.
Thus, the use of false credentials to access information will not by definition be sufficient
to be considered a crime in all examined countries, since additional requirements (damage
or economic harm) may apply. These differences might result in certain examples of
identity theft being punishable as hacking in some countries, but not in others.
Illegal data interference
The crime of illegal data interference in many countries corresponds to or overlaps with
that of hacking; generally speaking, interference with the functioning of an information
system is required. While in the case of hacking in some (but not all) countries a crime has
been committed merely if one illegally accesses a system, in the case of illegal data
interference it is necessary that at least the normal functioning of the system is altered.
Illegal data interference includes the diffusion of viruses or other malicious software or
applications with the aim of damaging computer systems, which can include, for example,
the surreptitious installation of keyloggers to intercept usernames and passwords.
The perpetrator of a hacking will usually be the person who accesses a computer system
through falsified credentials; if the same person also destroys or modifies data or software
on the system, he can be sentenced for illegal data interference as well. Therefore, this
qualification would apply to any identity theft incidents involving the falsifying of identity
information stored in an information system. In Germany, however, illegal data
interference includes also illegal data interception: whosoever unlawfully intercepts data
not intended for him, for himself or another, by technical means from a non-public data
processing facility or from the electromagnetic broadcast of a data processing facility,
commits a criminal offence. Thus, illegal interference can be combined with
communications privacy regulations.
87
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
In other jurisdictions, such as the Netherlands, illegal data interference can be punished
not only if committed with deceptive intent or with the intent to cause harm, but also if it
is committed with negligence (and therefore it is non-intentional), while in other
countries, such as Slovakia, only acts committed with the intent to cause damage are
punishable. Intent is also required in the UK, where the requisite level is to cause a
modification to the contents of any computer, and by doing so to impair the operation of
any computer; or to prevent or hinder access to any program or data held on any
computer; to impair the operation of any such program or the reliability of any such data.
Finally, in other countries intent is necessary in order to punish the perpetrator as a general
requirement of national criminal law (eg, in Italy).
Data protection laws, communications secrecy laws and copyright
The importance of data protection legislation should not be overlooked when examining
identity theft, at least from an EU perspective. According to the provisions of the
European Data Protection Directive (95/46/EC) as applied in all Member States, the name
and other data linked to the identification of a person and to his/her identity are
considered to be personal data, and therefore they cannot be processed without appropriate
guarantees. A key requirement is the existence of a legitimate justification for the
processing of personal data (Article 7 of the Directive), without which the processing of
that data is not allowed. Obviously, the processing of personal data with the intent to
commit a crime or to harm somebody cannot be considered legitimate, and will therefore
always be in violation of EU data protection law.
identity theft, in particular, is likely to violate several requirements linked to the processing
of personal data, such as legitimacy requirements, proportionality obligations and the
purpose restriction, transparency obligations, security obligations and formal obligations
such as the prior notification to the competent national Data Protection Authority.
Any identity theft incident is thus likely to also be a violation of Data Protection legislation
in the EU. Generally speaking, such violations can be prosecuted before a court and before
the national Data Protection Authority concerned. The victim, in fact, can request to the
authority that the illegal processing of personal data is ceased. The authority may also
impose a fine on the perpetrator, and the victim can obtain compensation for damages
before the civil court.
In other words, data protection legislation gives to the victim the possibility to be
protected in case of illicit processing of ID data also in those cases where such processing is
not (followed by) a crime such as fraud, forgery, etc.87 This is an important consideration,
as it means that actions preceding identity theft which may otherwise not necessarily be
punishable (eg, selling of stolen credit card information) can still be sanctioned.
This also implies that in the jurisdictions where identity theft is not a crime as such,
identity theft incidents are in any case unlawful and can be prohibited by public
authorities. Violation of data protection regulations is some countries is considered as a
crime with possibility of imprisonment (inter alia in Cyprus, Denmark, France, Germany,
87
As it will be pointed out infra, however, in some EU Member States such as Slovenia it is not possible for
citizens to get protection from the national Privacy Authority in case of misuse or theft of their identity if the
data processed are not part of a filing system
88
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
Greece, Italy, Malta, the Netherlands, Poland, etc.), while in other jurisdictions it is an
administratively sanctioned behaviour (Bulgaria, Czech Republic, Lithuania, Romania,
Spain).
Potentially applicable privacy legislation has also been enacted by non-European countries
such as:
1.
Canada, where data protection regulations are very similar to the EU Directive.
According to the national legislation, ‘Personal information’ is defined as ‘information
about an identifiable individual’ other than ‘name, title or business address or
telephone number of an employee of an organization’, and this definition includes
email addresses that are traceable to the individual, as well as information that does
not permit identification of an individual but relates to an identifiable individual, for
instance, his or her shopping preference.
2.
China, where the law of 1 July 1979 about privacy invasions imposes criminal liability
on persons who misappropriate personal information during the course of performing
their professional duties; both private sector and government agency personnel who
misappropriate a citizen’s personal data are subject to the penalty.
3.
India, where several sources are applicable in the data protection field, including in
particular the Personal Data Protection Bill 2006.
4.
Japan, where the Act on the Protection of Personal Information Held by
Administrative Organs of 2003 forbids any specific person prescribed in the law who
provides another person with or appropriates the retained personal information that
he or she acquired with respect to his or her work for making illicit gain for himself or
herself or for a third party; the specific person prescribed in the law is an employee or
former employee of an administrative organ or an individual or a business operator
entrusted by an administrative organ with the handling of personal information
engaged in or formerly engaged in the entrusted affairs under the law.
5.
The Russian Federation, where under the provisions of the Federal law of 27 July
2006 N 149-FZ identity theft instances are treated as illegal processing, since this
violates the legal norm prohibiting the obtaining of information about the private life
of a person (individual), including information relating to the person’s private or
family secrets, against such person’s will, unless otherwise provided for by federal laws.
6.
The United States, where there is not one comprehensive law governing privacy and
data protection, but rather a set of provisions apply to specific aspects of it. Some laws
address the issue of interception of electronic communication by government or
private entities (eg, Electronic Communication Privacy Act (ECPA), the Computer
Assistance for Law Enforcement Act (CALEA), and the Patriot Act). Other laws
safeguard personal data in specific sectors (eg, the Health Insurance Portability and
Accountability Act (HIPAA) with respect to health care) or of specific individuals (eg,
the Children Online Protection Act (COPA) for children). Furthermore, certain
states have enacted security breach notification laws that require companies to inform
individuals of security breaches that might have compromised their data, and enable
them to take the appropriate steps to protect themselves against falling victim to
identity theft. Besides legislation on federal and state level, there is also a diverging set
89
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
of self-regulatory mechanisms in place that have an impact on the data protection and
privacy environment in the US (such as the labelling schemes TRUSTe and the Better
Business Bureau’s online privacy programme (BBBOnline), or the self-regulatory
codes of conduct for certain sectors such as the one established by the Direct
Marketing Association (DMA)).
In other words, in all of the countries covered by the study, certain data protection/privacy
legislation exists which could be applied to most types of identity theft by treating it as an
illegal processing of personal data. This statement clearly applies to all EU Member States,
but this possibility usually exists also in non-EU countries. It should, however, be
acknowledged that privacy protection mechanisms are likely to be enforced only when the
misuse occurs on a mass scale and/or when no complicated investigations are necessary.
The typical incident of identity theft perpetrated by a single person in a social network
environment is unlikely to be effectively addressed by data protection law, at least on the
basis of the assessments provided in the country reports.
The use of data protection legislation to combat identity theft is thus a theoretical
possibility, but not usually a practical reality. It is more efficient for the victim to use
criminal law tools (starting from reports to the police/public prosecutor) to obtain
protection in case of identity theft incidents. The case law reported in this document, in
fact, shows that perpetrators of identity theft are usually sentenced for penal law offences
such as fraud, defamation, forgery, and so on, rather than for violation of data protection
laws.
Identity theft may also be the consequence of the violation of communications secrecy. It
is fairly broadly accepted that private communications (by phone, on the Internet or
through any other means) should be protected against disclosure or use by unauthorised
third parties. Communications secrecy also includes the prohibition of communication
intercepts unless they has been ordered by a competent public authority for legitimate
reasons and purposes. The interception of private communications may, in fact, involve
the acquisition of identity data (ie, a typical identity theft). These data then may be used to
commit other crimes such as fraud, etc.
8.2
Civil sanctions
Identity theft incidents may well result in an obligation for their perpetrators to
compensate the victims for the damages they have suffered (if any such damages exist and
can be shown). Compensation is a civil sanction which may be imposed by a judge if the
victim can prove that he/she suffered damages arising from the identity theft. The concept
of damages is not homogeneous in the countries covered by this study, especially when one
considers indirect damages, including moral damages, damages to reputation, etc. (ie, all
those damages that do not have a direct effect on tangible goods). This is, however, an
issue that relates to civil liability for criminal activities in general, and that is not specific to
identity theft.
It is worth noting that here, too, the Data Protection Directive imposes a duty on Member
States to ensure that ‘any person who has suffered damage as a result of an unlawful
processing operation or of any act incompatible with the national provisions adopted
90
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
pursuant to this Directive is entitled to receive compensation from the controller for the
damage suffered’ (Article 23). Thus, insofar as the identity theft incident involves the
unlawful processing of personal data, a theoretical reparation right exists in all EU Member
States.
8.3
8.3.1
Case law review with respect to identity theft
Introduction
The sections above examined the extent to which legal provisions have been adopted that
target identity theft or that could be applied to identity theft incidents. However, the
country reports also examined the issue of identity theft in practice from the legal point of
view through an assessment of case law. The mapping of this case law takes into account
the spectrum of potential victims, namely (i) private individuals and organisations and (ii)
public institutions.
The country reports explored this spectrum through five sample situations of identity theft,
covering both online and offline cases. The simplest form of identity theft concerns the
fact of claiming a false identity online,
online without necessarily further consequences. This
does not inherently bring financial or economic benefits for the perpetrator, and the same
applies to the fact of unlawfully using another person’s credentials.
credentials The economic
motivation is usually present in other illegal behaviours such as phishing,
phishing using falsified
identity documents to unlawfully apply for social benefits and trafficking in
unlawfully obtained personal information.
information
A detailed overview of the case law reported in all these fields is provided in the following
paragraphs. It is clear that there is a significant disparity in the penalties across the
countries covered by this study, so that similar offences can be punished with noticeably
different sanctions. However, it should also be acknowledged that this can be due to the
vastly different details behind each individual cases, and that this disparity is also a
conscious EU policy choice: both the Data Protection Directive and the Framework
Decision explicitly allow Member States the right to determine appropriate sanctions.
Thus, this particular issue of strongly diverging punishments is not an identity theft issue,
but rather a result of the national autonomy of the EU Member States. Whether this
disparity is necessary, fair or desirable is a different question, one that transcends the scope
of this study.
8.3.2
Claiming a false identity online
In several countries decisions related to claiming a false identity online have been reported.
These cases include the fact of creating an account on a social networking site such as
Facebook under someone else’s name. In fact, the majority of the decisions analysed in the
country profiles concern social networks and discussion forums.
More specifically, case law involving identity theft in social networks/forum environments
has been reported in eight countries:
-
Belgium: in 2002, the criminal court of first instance in Liège ruled on a case in which
a visitor created a false identity on a discussion forum. Using this false identity, the
person solicited other visitors of the forum to send erotic messages to a phone number,
which did not belong to him. The court ruled that the use of the false identity
91
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
constituted fraud and stalking (a qualification as computer fraud was not possible, as
the relevant provisions had not yet been adopted at the time of the crime). The
defendant was given a 3-year suspension of sentence, and was ordered to pay damages
to the victim.
-
France: in the case ruled by the First Instance Tribunal of Carcassonne on 16 June
2006 a woman used different pseudonyms on a dating service website and described
herself as an ‘easy woman willing to have sexual relations’. She provided her colleague’s
contact details so that this colleague started receiving numerous messages from
individuals eager to meet her. As a result, the colleague fell into a depression and had
to ask for sickness leave. The convicted woman was deemed liable for volunteer duress
with premeditation and had to compensate both her victim and the Public Health
Insurance.
-
Greece: the Thessaloniki Court of First Instance, in the context of an injunction
application, recently dealt with a case relating to the posting on Facebook of data
without the permission or the consent of the person concerned (Decision
16790/2009). The defendant created a Facebook account under a fake name and
posted defamatory information (and documents) about the plaintiff. This act was
considered as unlawful processing of personal data and violation of the personality of
the defendant. However, it should be noted that the decision on the case was not final
at the time of reporting.
-
Hungary: a case involved the abusive use of photos and private data (address and
telephone) of a woman on social websites dedicated to the provision of sexual services.
The victim brought a civil action against the websites to the Pest Central District
Court. According to the judgement the owner of the website, being an intermediate
provider, is not responsible for the content. The Pest Central District Court thus
refused the action and the plaintiff should pay legal costs. The Metropolitan Court of
Appeal approved the decision in April 2009.
In a similar case of falsified online ads (concerning the offer of a car and of sexual
services, where the ads contained the nickname and phone number of the victim), the
police identified the IP address from where the ads were sent and the City Court of
Hatvan found two defendants guilty in violation of the data protection laws and for
the offence of harassment in 2007. Each defendant was sentenced with a fine of
100,000 forints (about €400). The Supreme Court approved the decision in December
2008.
-
Italy: in 2007, a man was found guilty of creating a false ID online, along with an
email account, with the aim of seeking out people to propose false work opportunities
to and eventually to ask for personal and fiscal data. The Italian Cassation Court has
sentenced the defendant for violation of Article 494 of the Criminal Code
(substitution of person) to 10 months imprisonment.
-
Poland: according to the Data Protection Ombudsman several cases have been
reported by concerned individuals. Those cases involved a Polish counterpart of
Facebook, Nasza Klasa, and in particular the act of establishing false profiles of wellknown individuals, politicians in the first place. Most often the content of those
92
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
profiles has been insulting and defamatory, which triggers defamation laws as
applicable. Reporting individuals have been directed to law enforcement agencies by
the Data Protection Ombudsman in those cases. At that point the Ombudsman has
lost track of the cases, and their outcome has not been reported to the broader
audience either.
In another case, concerning the establishment of a false profile on an erotic social
network, the deed has been reported to law enforcement agencies by the Data
Protection Ombudsman. Criminal charges have been conditionally dismissed and the
victim has been awarded damages.
-
The Russian Federation: in 2007 the City Court of Yoshkar-Ola in Mari El Republic
decreed that on a dating website two locals created false accounts of non-existing
women that were willing to marry wealthy foreigners. These people posted photos of
famous actresses and ballet dancers and provided false address, biography and passport
details. In the process of communication the would-be brides asked potential fiancés
for money so that they could go and visit them, as well as to pay for a foreign passport,
visas, tickets, etc. Criminals received money in the banks of Yoshkar-Ola and
Cheboksary through international money transfer systems Western Union and
MoneyGram. After the payment communication with the victims stopped. It was
found that during the three years of these activities the criminals received over 1
million roubles (around €25,000) from twenty nationals of the UK, USA, Germany,
Austria and China. The court decreed that using a false identity account constituted
fraud committed by an organised group. Both criminals were sentenced to 3 years in a
standard regime penal colony.
-
Sweden: in 2008, the district court in Växjö decided in a case, in which somebody
accessed a social networking site with another person’s login credentials and altered
information on that person’s profile in a derogatory way. The perpetrator was
convicted for illegal access and sentenced to a fine and ordered to pay compensation
for damages.
It has to be highlighted that in the abovementioned cases the defendants were sentenced
on the basis of ‘traditional’ criminal qualifications (such as fraud, stalking, voluntary
duress, defamation and harassment) rather than for computer crimes (with the exception of
the Swedish case). Often, however, the unlawful processing of personal data has been
noted and condemned as well, which illustrates the ‘safety net’ role that this legislation
could play with respect to identity theft incidents.
Regarding the violation of data protection legislation, in some countries it has been
reported that the national privacy authority cannot take any action to protect victims.
More specifically, in Slovenia the Information Commissioner has received several
complaints regarding false accounts on Facebook and false email accounts. Since the
Commissioner doesn’t necessarily consider this to be processing of personal data (the data
processed are not part of a filing system) he is usually not competent in such cases. The
Commissioner advised the victims how to report such false accounts directly on the web
page and to turn to the police or the competent public prosecutor’s office (thus without
taking any action directly).
93
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
In three other countries case law has been reported that was not related to misuse of social
networks/forums. In Germany there is a string of well-established cases where courts have
found that the right to one’s own name entitles one to forbid the unauthorised use of the
same name by another person, in particular if the use of the same name causes a likelihood
of confusion. This right to one’s own name may also apply to the use of company names,
trade names, domain names and even abbreviations of names.
In Japan in 1997 the Kyoto District Court issued a judgment on the case of a defendant
who changed the official address of another person to avoid detection of the fraud that the
defendant performed under another name on a bulletin board system. The defendant was
sentenced to 2 years in prison with a stay of execution for 3 years with the probation for
the offence of forgery.
Finally, in Malta in the case Police vs Olaf Cini et (Court of Magistrates, Criminal), case
No. 64/2006, the defendant was found guilty of committing the offences of forgery of
private writings and false declaration or information to a public authority respectively,
because he had sent an email which he signed using someone else’s information without
that person’s consent or authorisation.
8.3.3
Unlawfully using another person’s credentials
The country profiles reported several cases of unlawfully using another person’s credentials,
for example, using someone else’s username or password to send emails in his/her name.
The mapping of the case law available shows that many decisions concern the use of stolen
credit/debit cards, or in any case relate to the banking and financial sector. This is the case
in the following thirteen countries:
-
Belgium: several cases are known, specifically in relation to using a third party’s stolen
credit card. After a ruling by the Supreme Court in 2003, most criminal courts have
found this to constitute computer-related fraud.
-
Bulgaria: several cases are known, specifically in relation to: (i) unlawfully obtaining
data related to third party’s bank cards by using special technical means; (ii)
reproduction of false plastic copies of bank cards by using unlawfully obtained data
regarding such bank cards (forgery); (iii) and respectively, usage of someone else’s bank
card or a plastic copy of such a card (fraud).
-
Denmark: several cases are known in relation to using a third party’s stolen credit card,
which is found to constitute fraud.
-
Estonia: the Estonian Supreme Court dealt with cases where third party’s bank
identifier codes have been used to get access to Internet bank accounts. The Supreme
Court found this to constitute computer-related fraud.
-
Finland: there are several cases specifically in relation to using a third party’s stolen
credit card. Paying for purchases with a stolen credit card is qualified as fraud in
Finland. However, most of these offences are not committed online. For example, in
2009 the Kouvola Court of Appeal ruled that usage of a credit card accidentally found
and falsifying the signature when paying with the card constituted a fraud and forgery.
The defendant was sentenced to imprisonment for one month but the sentence
included two petty thefts as well (the district court had sentenced him to
imprisonment for two months).
94
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
-
Greece: the Greek Courts have treated the use of credit/debit cards in different ways.
The Athens Court of Appeals in its decision 1904/1991 considered the use of a cashcard and its secret code as theft, without even considering the aspect of ICT-enabled
fraud. The Military Court of Athens (2897/1994) also considered this action as theft.
However the Admiralty Court of Piraeus in its decision 418/1996 considered the use
of the bank card of another person as fraud with a computer. The three-member
Criminal Court of Athens ruled in its decision 3668/2006 that the two defendants
that had hacked into the computer system of a bank and transferred an amount of
money from the bank account of a foreign citizen to their bank account were to be
convicted for the offences of fraud with a computer and for violations of data
protection law.
-
Hungary: there is case law involving the sending of faxes. The Municipal Court in
2007 heard the case of a bank employee who, without authorisation, accessed the
sleeping accounts of seven clients containing large amounts of money on the bank
information system. He made snapshots with a digital camera of the displays, which
contained the details of the bank accounts (personal data of the holder, the amount
and currency, and secret password code required for the transfer). A second defendant
had opened two bank accounts using lost and falsified ID documents that contained
his own photos, but one of which used a falsified name. Unknown persons started the
bank transfers by fax – containing the secret password and code – sent from a foreign
country phone number (traced to a Serbian city) to the Hungarian accounts. The
identity of the accomplices remained unknown. The Municipal Court found the first
defendant guilty for the crime of fraud together with the crime of violation of banking
secrecy and the offence of forgery of official documents. The second defendant was
found guilty for the crime of continuously committed fraud together with the
continuously committed crime of forgery of official documents.
-
Japan: in 2004, the Supreme Court sentenced a defendant who pretended to be a
holder of a title deed and used a credit card for fraud. In 2006, the Supreme Court
found the offence of computer fraud in the case of a defendant who inputted the
names of the holder of a title deed of the credit card which he stole into a computer
and purchased electronic money. From a different perspective, in 2007 the Supreme
Court heard the case of a defendant who stole the ID and password of another person
and used it illegally; they sentenced him for the crime of unauthorized creation of
electromagnetic records because he changed a password illegally.
-
Malta: Maltese Courts have pronounced several judgements relating to fraud by
persons using the credentials of another person. For instance, in the area of banking
and finance, Police vs Mary Magdalene Sultana (Case Number 12/2010 – Court of
Magistrates, January 2010): in this case the defendant was sentenced for committing
several offences (inter alia, forgery of any authentic and public instrument or of any
commercial document or private bank document and fraud) by defrauding a bank of
€18,600 after using a false identity when she presented herself at the bank’s branch
and pretended to be somebody else (who turned out to be her friend). She was accused
of first appearing at the Identity Card department and there she applied for an identity
card in the name of another person (claiming that she – or rather that other person –
95
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
had lost her identity card). Following the issuance of this ID card she managed to
obtain a loan of €18,600 from the bank.
-
Romania: in a recent case, the perpetrators were convicted for breaking into the
accounts of several persons with eBay accounts, posting false messages inducing the
victims to send money for items which never existed. The perpetrators were sentenced
to imprisonment for three and a half years for computer-related fraud, fraud, and
illegal access to information systems.
-
Slovakia: several cases are known, specifically in relation to the fact of using a third
party’s stolen credit card. This is likely to constitute computer-related fraud. One
interesting case took place in April 2005, when a perpetrator accessed an email account
on AZET (a webmail system) in the name of his ex-girlfriend. Through this email
account he sent messages to her colleagues containing untrue, disparaging and
defaming information about the victim. The action of perpetrator was qualified as
vilification and he was criminally sanctioned with a fine of 20,000 SKK (around €500
at the time). The victim received 120,000 SKK (around €3,000 at the time) for
damages in civil proceedings.
-
Germany: in both civil and criminal proceedings concerning the unauthorised use of
unlawfully obtained data containing personal identity information, courts have found
that the unauthorised use of such unlawfully obtained data for a transaction causing
damage to the victim’s financial position may constitute a criminal offence of fraud or
computer-related fraud.
-
Sweden: several cases concern third party’s stolen credit cards or unauthorised use of
such credit cards. These crimes usually constitute fraud.
We see, therefore, that the fact of unlawfully using another person’s credentials such as
credit/debit cards can be qualified in different ways: in all of these countries these incidents
have been qualified as fraud or computer-related fraud; in four other jurisdictions they
have been considered as forgery, in two more as theft and, finally, in two others as
unlawful access to information systems (for the latter three qualifications, in conjunction
with fraud).
A second large group of cases regard the unlawful use of somebody’s credentials to access
his/her email account or his/her profile on a social network. Usually the unlawful access
was then followed by further illegal activities such as defamation, posting indecent
material, etc. The mapping of the case law shows the following results in five countries:
-
France: according to the Ruling of the Supreme Court of 20 January 2009 the
perpetrators of the crime had published pictures of the victim naked on the Internet
making use of her email address. The offenders have been convicted on the basis of
identity theft and for violation of the right to privacy.
-
The Russian Federation: there have been a number of cases of digital identity theft.
The most interesting recent case was classified as extortion. In 2009, in Tambov, Mr
V, an administrator of an Internet café, stole several IDs and gained illegal access to
the account of one of the clients at the social networking site www.odnoklassniki.ru.
He later extorted money from Ms X, threatening to distribute discrediting
photographs of her on the Internet. Mr V was charged with extortion, unauthorised
96
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
access to computer data protected by law, violation of privacy of correspondence,
illegal collection of information on a person’s private life constituting their personal
secret and disclosure of this information without their consent. The convict
cooperated with the investigators and was given a conditional sentence of 2 years. In
addition, Mr V had to pay 10,000 roubles (around €250) to the injured party for
moral damage.
-
Slovenia: it has been reported, inter alia, that the Information Commissioner
investigated a situation where an individual illegally accessed email accounts of his
former boss and co-workers by successfully guessing/knowing their passwords. The
case was forwarded to the police and the public prosecutor brought charges against the
individual for suspected violations of abuse of personal data, violation of secrecy of
means of communication and unauthorised access to an information system.
-
Spain: several cases can be identified, and the following are particularly interesting: (i)
sentence no. 48/2009, of 10 March, issued by the Provincial Court of Navarra (1st
Section), confirming a Resolution of the Pamplona’s Criminal Court of 16/10/08, in
the case of a civil servant who observed a colleague working next to him typing her
computer’s username and password, giving access to all her files and email account.
The perpetrator then accessed from his own post the victim’s email account, sending
erotic messages, signed with the victim’s name, to 35 professional colleagues included
in the victim’s contacts. He was criminally condemned for an offence against intimacy,
using someone else’s personal data, to imprisonment of 6 months and fine of €1,800;
(ii) sentence 236/2009, of 27 October, issued by the Provincial Court of Albacete
(2nd Section), confirms the Resolution of the Criminal Court of Albacete, of
28/07/08, and condemns an ex-husband for a criminal offence against intimacy and
revealing secrets for having unlawfully accessed his ex-wife’s email account,
introducing an offending phrase in the details to be shown to her contacts in her
communications, and for having participated in messenger chats under her name, in a
highly self-offending and very indecent way, and also sending erotic pictures of the
victim (taken by the husband while living together). He was imprisoned for 1 year,
with a fine of €2,160.
-
Sweden: an Appellate Court decided in 2002 that the use of someone else’s username
and password for Internet access constituted computer-related fraud. In another more
recent case from the district court in Göteborg in 2008, a person ordered goods online
by using false names and email addresses. He was convicted and ordered to pay
compensation for the damages, and sent to prison for 2 months.
Other countries present a more varied case law that does not fall neatly into one of the two
abovementioned categories. Two particularly interesting cases were reported from China.
In the first case, the Shaoyang Beita District People’s Court made a decision on identity
theft crime in 2009. In this case, A paid to B CNY 50,000 (US$10,680) to secure a swap
of identities and college-entrance examination information to enable A’s daughter to be
admitted by a university under the name of C. C discovered that her identity was stolen
when she tried to open a bank account, but was told that her identity was already in use.
Nor could she find a job because the graduation and professional certificates she had been
working towards could not be issued as they had already been issued to A’s daughter using
97
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
her name. Eventually A was prosecuted and detained on charges of forging official
documents, certificates and seals and she was sentenced to a four-year fixed-term
imprisonment. The university degree obtained by A’s daughter through identity theft was
revoked. But C found that resuming her true identity took longer than expected because
she was still turned down by both banks and on the job market. Although she sought civil
remedies by suing A and others for infringing her right of name and education, it does not
seem that she will obtain any compensation from the prolonged proceedings in the near
future. In a separate case in August 2001, Shandong High People’s Court ruled for D
whose constitutional right of receiving education was infringed by the defendant’s action
of identity theft of college-entrance examination information. The decision was affirmed
by the Supreme People’s Court in an official reply to Shandong High People’s Court.
Unfortunately, the official reply was repelled by the Supreme People’s Court in a decision
effective from December 24, 2008, which leaves uncertainty in the handling of identity
theft cases.
The Chinese case law is emblematic as it shows the potential consequences of identity
theft: even if one may at first be inclined to think that the abuse of somebody else’s
identity and identification credentials is not likely to be too problematic for the victim in
the longer term, this is certainly not always true. This case law shows very clearly that the
victim can suffer moral and financial damages even if the perpetrator did not commit other
crimes such as defamation, and even after the perpetrator has been convicted and
punished.
8.3.4
Phishing
Phishing is the crime committed by a person who uses falsified information (eg, emails
and/or falsified websites) to trick users into giving up identity information (eg, bank
account numbers or passwords), typically in order to gain an illicit financial benefit. The
phenomenon of phishing is unfortunately quite common and the number of potential
victims is virtually unlimited, since the vast majority of the Internet population has an
email account, telephone account and bank account. The economic impact of successful
phishing scams is thus quite heavy, taking into account direct damages (those suffered by,
for example, the owners of bank accounts that have been deceived) and indirect damages
(those of banks and financial institutions that have to invest in security features while also
risking the loss of users of their online services).
The analysis of the case law reported in the country profiles shows that phishing is a global,
borderless phenomenon. However, it appears that there are target countries and ‘countries
of origin’: it has been reported that perpetrators of phishing elect a country from where
they direct attacks to bank customers in other jurisdictions.
In Romania, for instance, it has been reported that phishing attacks are the most common
method for obtaining personal data that are further used in order to commit other crimes
(and this statement applies to all countries). Incidents are initiated in Romanian territory,
but are addressed to victims across the borders. In most cases, the perpetrators send emails
on behalf of a bank asking the victims, located in other territories, to provide them with
personal data and credit card codes. The information obtained is used to transfer money to
other bank accounts. The methodology creates investigative problems, since the authorities
98
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
of the victim’s country need to be able to cooperate with Romanian law enforcement
bodies in order to block the perpetrators.
International cooperation requires time, and in fact in some countries, such as the Czech
Republic, there have been several cases involving phishing in relation to which a criminal
investigation has been initiated, but no final judgements have so far been issued.
In other jurisdictions, however, the case law is more mature and court decisions can be
reported. This is the case notably in the following countries:
-
China: in May 2009, the police station of Shanghai Baoshang District investigated a
phishing website that had been tricking users into inputting their usernames and
passwords for Taobao, an online transaction platform, in order to steal the money in
the users’ accounts. In two months, the phishing website stole more than CNY 10,000
(around €1,000). In June 2009, four phishing website operators were arrested. In
January 2010, they were sentenced by the Shanghai Baoshang District People’s Court
to imprisonment for the crime of fraud.
-
France: two rulings of the High Court of Paris of 2 September 2004 and 21
September 2005 can be highlighted:
•
In the 2004 ruling, the First Instance Court of Paris sanctioned a phishing attack
on the basis of fraud, unlawful access to a computer system and unlawful
alteration of data contained in such system. The convicted had mirrored a bank
website and by these means managed to order transfers of funds of his victims to
selected bank accounts. The offender has also been convicted for attempted fraud
and fraudulent access to an automated data processing system and received a
suspended prison sentence of one year and a fine of €8,500.
•
In the 2005 ruling, the Court punished a phishing act on the basis of brand
counterfeiting. The Court considered that the fake website illegally used the
Microsoft brand and reproduced and disclosed without prior authorisation the
registration page of MSN Hotmail. The sanction remained low (€500 fine with
suspended sentence and €700 of damages to be paid to Microsoft) because of the
young age of the offender and the fact that no personal data had actually been
gathered. However, this decision is interesting since it is the only one that
indicates that phishing attacks also involve copyright/trademark violations, and
that they can thus be punished as such even if the perpetrator does not manage to
gather personal information and/or gain a financial benefit.
-
Germany: in several cases courts (in civil proceedings where victims sued for damages)
have found that the use of data obtained by phishing for a transaction causing damage
to the victim’s financial position may constitute a criminal offence of computer-related
fraud, entitling the victim to recover damages.
-
Italy: in 2008, a cyber attack against the Italian Post Company and one of the major
banking and financial institutions was prosecuted under Art. 494 of the Criminal code
(‘substitution of person’), together with Art. 617 sexies (‘falsification or alteration of
electronic communication data’), Art. 640 (‘fraud’), Art. 615 ter (‘abuse and intrusion
into electronic systems’) and Art. 12 of the Law 197/1991 (‘abuse in use of credit cards
99
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
and payments’), based on the intent of the criminals to use a false ID to break into the
companies’ electronic systems and steal money.
Cases of ‘SMS phishing’ and other online phishing have been prosecuted as well. For
example, in 2008 a courthouse sentenced a man for ‘manipulation of electronic
communication for the purpose of fraud’ to imprisonment for 20 months.
-
Japan: in 2008, the Kyoto District Court ordered a 3 years 6 months jail term and fine
of 1,000,000 yen (around €9,000) for a defendant who committed fraud and an
unauthorised creation of electromagnetic records, for an incident involving the
unauthorised access to an ICT system using the personal information of another
person that he got by phishing.
-
The Netherlands: the case of the Amsterdam Court of 28 May 2003 regarding a
Nigerian scam can be reported, where people were tricked by email. The suspect was
convicted for money laundering, involvement in a criminal organisation, fraud, forgery
and possession of forged travel documents to a fine of €411,440 and 4 years 6 months
imprisonment.
-
Sweden: the district court of Uppsala ruled in a case in 2010, in which somebody
lured the victims via telephone into sharing their access codes. The perpetrator was
convicted for gross fraud to 10 months imprisonment and ordered to pay
compensation for damages of about 80,000 SEK (around €8,000).
-
The Unites States: United States vs Goodin, US District Court, Central District of
California, 06-110, can be reported as an example. The defendant violated federal law
by sending customers of the ISP America Online thousands of unsolicited emails that
falsely purported to be from the AOL Billing Department. With these messages the
defendant prompted the receivers to update their personal and credit or debit card
information. The spam emails were sent from fraudulently created email accounts and
contained weblinks to false AOL webpages, which in turn contained computer code
directing the provided information to email accounts controlled by the defendant. He
then used the information to make unauthorised purchases. On 11 June 2007, the
defendant was sentenced to a total of 70 months of imprisonment. The judgment was
affirmed by the Ninth Circuit on 17 December 2008.
Taking into account the high number of phishing attacks worldwide, it may be surprising
that the case law to be reported in the countries covered by this study is relatively limited.
This is probably due to several different reasons, including difficulties in conducting
investigations and the fact that attacks are often originated in a different country to that of
the victims. This theory seems likely if we consider that the abovementioned decisions, at
least in the case of France, China, Japan, Sweden and the United States, concerned
phishing attacks perpetrated from the national territory. Cross-border investigations
(requiring the linking of an IP address to a foreign individual) can be much more
complicated than purely national cases. However, the mapping of the case law shows that
when investigations are possible and a perpetrator can be found, he is likely to be
sentenced at least for fraud, though often in combination with other offences.
100
RAND Europe & time-lex
8.3.5
Chapter 8 Analysis of country summaries and recommendations
Using falsified identity documents to unlawfully apply for social benefits
Identity theft, as we pointed out above, is very often committed in order to gain an illicit
financial benefit. In the case law so far, we have reported situations of illicit gains with
direct damages for private companies and individuals who, for instance, lost their money
from bank accounts. Identity theft may be directed also against public institutions, to
obtain social benefits that would not be granted otherwise, for example.
The phenomenon of identity theft in the social security sector (so-called ‘social fraud’)
cannot be neglected. In many countries it has been reported that the impact of this form of
criminality is particularly large. In Ireland, for instance, prosecutions for social welfare
fraud are relatively common and approximately 380 cases were referred to the courts in
2009, according to a press release of 8 December 2009 from the Department of Social and
Family Affairs. In Belgium, too, social security fraud by means of falsified identity or by
means of falsified supporting documents is a serious issue that has a notable financial
impact on the state’s budget. According to the Belgian government, in 2008 the public
authorities paid €2.55 million to people who applied for employment benefits without any
right to obtain them; this is, of course, only a small part of social security benefits so that
the total losses to ID fraud are certainly bigger. Similarly, in China there have been
disputes concerning people who submitted falsified ID documents to apply for
governmentally subsidised housing benefits.
This implies that in several jurisdictions the case law in the field is particularly rich. The
following examples, inter alia, can be reported:
-
Bulgaria: the courts, including the Court of Cassation, state that the use of false official
documents to unlawfully apply for and obtain pensions and compensations is
documentary fraud.
-
Denmark: in a case from 1996 an Algerian citizen was convicted to 3 months of
imprisonment for forgery and fraud using falsified documents to prove that he was a
French citizen and thereby claiming social benefits amounting to DKK 71,000
(around €9,500).
-
Finland: like in Belgium and Ireland, there are several cases in which a person has
applied for social benefits by using other kinds of falsified documents (ie, other than
identity documents) or has provided the authorities with incorrect information or has
concealed relevant information from the authorities. In those cases the offences have
been classified as fraud and/or forgery. As an early example, in 1978 the Supreme
Court ruled that falsifying a (school) report card and the use of the report card when
applying for a training grant/education allowance constituted an attempted fraud.
-
France: the Supreme Court in a judgment of 28 March 2006 confirmed the criminal
sentence pronounced by the Court of Appeal of Basse-Terre against a woman who lied
about her real name to obtain official identity documents (providing a third party’s
name) enabling her to opt for social benefits. The Appeal Court sentenced her to six
months of imprisonment (suspended) for identity theft, to another six months of
imprisonment (also suspended) for the use of falsified documents to obtain a benefit
and ordered her to reimburse the sums that had been paid to her by Social Security
Funds.
101
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
-
Germany: the prevailing case law criminalises the act of using falsified identity
documents in order to unlawfully receive social benefits as fraud. There is a legal
obligation for welfare recipients to always state the truth. Thus, an error about identity
need not be elicited by special acts of the applicant. Even an accidental error of the
public agency has to be clarified. Any deviation is treated by the courts as fraud
committed by omission. Perpetrators will be punished with imprisonment or a fine.
Any single verification of social benefits counts as an independent criminal act and will
be penalised. Courts regularly even qualify social fraud as a criminal act committed on
a commercial basis, which is penalised as an especially serious type of fraud with
imprisonment from six months to ten years. Furthermore, perpetrators will have to
face two incidental legal consequences: (i) the reclaiming of unlawfully received social
benefits, and (ii) an entry in the criminal records and the police clearance certificate.
Even first offenders receive such an entry in their criminal records and police clearance
certificate if fines have been imposed at more than ninety daily rates.
-
Greece: in its decision 887/2008, the Supreme Court ruled in a case in which a citizen
managed to deceive the authorities with regard to her date of birth in order to receive a
pension from the Social Insurance Institute under the early retirement scheme.
-
Italy: there are many cases of social fraud. A particularly interesting case regards the
ongoing investigations of the office of the Prosecutor of Rome, as reported by the
press.88 According to the investigations carried out so far, it seems that 300 people
(mainly lawyers) falsified the signatures of Italian citizens living abroad in order to
apply for social benefits and/or to ask to the competent courts to grant social benefits.
The defendants are likely to be charged with the offences of fraud, forgery and
substitution of person.
In February 2009, a group of 29 false disabled persons, who were benefiting from a
one-year state pension and assistance, with the support of friendly doctors and public
officers, were arrested in Naples by the police. The Court of Naples qualified the
crimes as forgery (offline) of official documents and as fraud against the Public
Administration. The organisation was globally sentenced to 80 years of imprisonment
and a fine of €100,000 to be refunded to the Italian budget authority. The individual
defendants were sentenced to imprisonment (from a minimum of 2 years and 4
months to a maximum of 10 years), in accordance with the seriousness of the disability
claimed (and the consequent amount of the undue pension provided).
-
Malta: there are several judgements of the Courts of Malta relating to this matter, such
as, for instance, Police vs Luigia Zarb Case No. 966/2005 (Court of Magistrates). In
this case the accused was found guilty of (i) using false names and of committing
fraud, (ii) of making false declarations in documents intended for a public authority
and (iii) of infringing the Social Security Act by declaring false information about her
inheritance and by presenting falsified documentation.
88
See, as of 28 January 2011:
http://roma.repubblica.it/cronaca/2010/08/06/news/pensioni_fantasma_maxi_truffa_all_inps6101257/index.html
102
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
-
Belgium: the case law in the field is extensive. One notable case that can be mentioned
here is Court of Brussels of 21/5/2004: a person who falsified his identity documents
in order to obtain social benefits was sentenced (for this fact in combination with
other crimes) to 3 years imprisonment and a fine of €1,000.
-
Spain: many decisions of the Spanish courts can be reported, including the Sentence
no. 1581/2005 of 26 December issued by the Supreme Court (Criminal Section),
where an illegal resident in Spain used a falsified copy of someone else’s resident card
and working permit in order to get a labour contract and to have access to Social
Security and to open a bank account. She was criminally condemned for usurpation of
someone else’s ‘civil status’, with imprisonment of 7 months. Furthermore, there are
also cases of illegal immigrants who, while using a false identity, obtained social
benefits (a pension) derived from a professional accident, being criminally condemned
for usurpation of ‘civil status’, but being recognised by the Social Courts their right to
the pension, as in Spain foreign workers have this right even if they do not have a
residence or working permit (see Sentence no. 7974/2006 of 15 November of the
Superior Court of Catalonia – Social Section).
The Netherlands, on the other hand, reflect a different trend, since relatively few cases of
identity theft to apply for social benefits are known. The Ministry of Social Affairs and
Employment states that it does not occur frequently since it is much easier to use authentic
identity documents to obtain social benefits and then work undeclared rather than using
falsified documents. This implies that the impact of identity theft on social security
depends on the national legislation and status of social benefits. Generally speaking,
however, also in those countries where many categories of citizens and foreigners may have
a right to benefits, the gravity of social fraud (often perpetrated through identity theft) is
notable.
8.3.6
Trafficking in unlawfully obtained personal information
Finally, the country reports also examined trafficking in unlawfully obtained personal
information, ie, of personal data collected through identity theft. This trafficking includes,
for example, the selling of databases of email addresses to email marketers. It is clear that
identity theft in these situations is preparatory to the trade of the data illicitly obtained.
The mapping of the most interesting case law reveals the following decisions in six
countries:
-
Belgium: in 2000, the criminal courts of Ghent ruled in a case in which a hacker had
collected ISP customer data (username, password, email addresses and credit card
numbers) which he subsequently released to press agencies. The hacker was convicted
for violation of communications secrecy laws and fined.
-
China: in 2009, A illegally purchased a detailed log of telephone calls made by highranking local government officials, then sold it to fraudsters who used it to
impersonate the officials over the telephone. The fraudsters convinced friends or
relatives of the officials that the officials needed money for an emergency situation, and
then they induced them to transfer money to a bank account controlled by the
fraudsters. While the fraudsters were prosecuted for fraud, A was convicted by
Zhouhai Xiangzhou District People’s Court for the crime of illegally obtaining a
103
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
citizen’s personal information. A was sentenced to 18 months imprisonment and a
fine. The case showed that not only selling or illegally providing citizen’s individual
information to other persons by working personnel of particular organisations, but also
the illegal obtaining of such information by way of theft or other means, where the
circumstances of the case are serious, is subject to penalty. For these reasons this case is
particularly notable and shows the maturity of the national case law in the field of
identity theft.
-
Greece: in 2003 the Supreme Court dealt with a case in which perpetrators, acting
together and with common intent, copied onto diskettes a list of clients from the
victim’s computer with the intention of using the clientele in a competing travel
agency that the perpetrators established following the departure of one of the
perpetrators. The Supreme Court held that the offence of violation of secret computer
elements or software was committed.
-
Ireland: the Data Protection Commissioner has dealt with an inquiry relating to an
offer of the ‘gift’ of a database of names and addresses that had been made to a charity.
The charity asked for advice from the Commissioner’s office as to whether they could
accept this gift. The Commissioner expressed the view that acceptance of the gift
would involve breaches of the fair obtaining and compatible processing requirements
of the Data Protection Acts.
-
The Russian Federation: in 2009 a court case of Mr Sh, a national of Moldova, was
examined. He sold the personal data of the clients of a famous insurance company.
The court ruled that from October 2006 to June 2008 Mr Sh was working as a top
specialist in the department of telephone sales at OOO Rosgosstrakh-Stolitsa and had
access to client databases containing key data of its clients constituting trade secrets,
specifically: their full personal data, including surnames, names and patronymic
names, permanent addresses and resident addresses, telephone numbers, insured
objects (car brands, identification numbers, registration codes, years of manufacture),
amount of insurance premiums, duration of contracts, and insurance policy numbers.
During this period the criminal copied the client database onto his personal data
storage device (a memory stick). On 6 February 2009 he found a customer interested
in this information on the Internet and arranged a meeting. The buyer was, however,
an employee of the economic and information security department at OOO HC
Rosgosstrakh, and Mr Sh sold him the data on more than 34,000 natural persons for
50,000 roubles (around €1,250). After that, he was arrested by police. Mr Sh was
sentenced to one year in a penal colony for illegal disclosure of information
constituting a trade secret without consent of its owner out of pecuniary interest after
acquiring the information at workplace.
-
Slovenia: the Information Commissioner investigated a case of illegal transmission of
personal data between two insurance companies. Personal data of 2,300 individuals
was sent from one insurance company to another, and used by the latter for direct
marketing. Sending of data by the first insurance company and use of these data by the
second was performed without the respect of the necessary legal ground. The first
insurance company was fined €112,000 and its responsible person €2,000, whereas the
second company was fined €108,000 and its responsible person €20,000, both for
104
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
violation of the Personal Data Protection Act. One of the companies appealed to the
court, whereas the second one paid the fines without appealing.
8.4
8.4.1
Identity theft reporting mechanisms
Introduction
The sections above have mainly examined the strictly legal responses to identity theft,
namely which laws exist, and how they are applied. But before this becomes relevant,
incidents need to be identified. The importance of efficient reporting mechanisms in the
field of identity theft (or in the field of any Internet-based crimes/problems) is pivotal.
Identity thefts, due to their nature, in the vast majority of cases are not prone to be
discovered by law enforcement officers if the victim of the incident, or at least a witness,
does not report the incident to the competent authorities. This consideration applies to
both online and offline identity thefts, and in the case of Internet, the transnational nature
of the incident will also frequently play a role.
In other words, two elements are absolutely crucial in order to set up an efficient system to
combat identity theft (or Internet-based crimes): a transparent and effective reporting
mechanism for victims of incidents, and transnational cooperation between the authorities
in charge of collecting those reports.
These issues, especially the first, have been assessed in all of the countries covered by the
present study. The analysis shows that the public authorities of almost all of them have set
up online or offline reporting mechanisms for identity theft incidents, other Internet-based
crimes or crimes in general, or, at least have set up awareness-raising campaigns or created
dedicated websites where potential victims may get information about existing risks and
how to be protected.
However, when looking specifically at identity theft, only a limited number of countries
have implemented reporting mechanisms. In the next paragraphs we will provide an
overview of existing reporting mechanisms in the countries covered by the present study,
taking into account that a distinction must be made between:
o
Online and offline reporting mechanisms;
o
Reporting mechanisms dedicated to identity theft incidents, reporting
mechanisms for Internet-based crimes and reporting mechanisms dedicated to all
crimes.
Without entering into further details at this stage, we can note that many countries have
set up general online reporting mechanisms (and in some other countries it is possible to
send complaints about identity theft incidents by email, so that the number of jurisdictions
where only paper-based reports are accepted is relatively limited), but that only a few of
these have implemented online or offline reporting mechanisms exclusively dedicated to
identity theft incidents.
The fact that identity theft incidents are to be reported using a website where any other
crimes can also be declared does not, of course, mean that the reporting system is not
efficient or that it is less efficient than in those countries that have a dedicated reporting
105
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
mechanism, provided that the victim can obtain enough information about what identity
theft is and how it can be reported.
Education and awareness are thus very important: unlike traditional crimes, which are
sufficiently recognisable to most citizens without difficulties, this is not necessarily the case
regarding identity theft (the same applies to phishing, etc.). This explains why educating
Internet users and potential victims is as important as providing them with efficient
reporting mechanisms.
8.4.2
Ad hoc online and offline identity theft reporting mechanisms
As a first category in this analysis, several countries have implemented specific systems and
tools expressly aimed to receive complaints about identity theft incidents, a summary
description of which shall be provided below. The country with the most sophisticated
online tools to report identity theft is the United States,
States where a variety of online
reporting mechanisms are available for victims of these incidents.
The primary one is the Federal Trade Commission’s identity theft Complaint Form. This
tool allows the submission reports about online and offline identity theft incidents, using
both online mechanisms and by phone. The Federal Trade Commission stores all reports
in a dedicated database of online and offline identity theft incidents, which can be shared
with private entities when this is useful for investigations or to better combat identity theft.
In particular, the identity theft complaint form used by consumers online in order to file a
complaint with the Federal Trade Commission can, in conjunction with a police report,
become part of an identity theft report, which contains enough information about the
crime to verify that someone became a victim of identity theft and in what way. These
identity theft reports can then be submitted to credit reporting companies or creditors to
gain legal protection against identity theft.
The Federal Trade Commission works in collaboration with police forces and other law
enforcement agencies across the United States, as the latter will be in charge of
investigating the incidents and prosecuting their perpetrators. However, victims of identity
theft can report it directly to the Federal Trade Commission, which thus acts as a single
point of contact.
Other US bodies have implemented their own identity theft reporting mechanisms,
including the Postal Inspection Service, the Social Security Administration’s Office of the
Inspector General, the Internal Revenue Service, the State Attorney General’s Offices, and
the Internet Fraud Complaint Center.
The extensive list above illustrates that in the United States identity theft incidents are
perceived to represent a serious problem which is given due policy priority.
The situation is rather different in Europe, where existing online reporting systems
generally target all Internet-based crimes or, more generally, all kind of crimes (without
specific emphasis on identity theft). The Netherlands are the exception to the rule, since
the Dutch government has implemented its Central Reporting and Information Point for
Identity Fraud and Identity Errors.
In the Dutch portal, victims of identity theft incidents may obtain general information and
also ask questions to the team at the Point about identity fraud and mistakes in the
106
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
registration of data. Furthermore, victims can report identity theft incidents: the claim is
filed using a standardised document (available on the website of the Point) that then has to
be sent by post. In other words, the reporting mechanism is, in fact, offline, as all
communications between the Point and the reporter take place by regular mail.
The Dutch portal is notable in one other respect, which appears to be unique among the
examined countries: rather than being merely a tool to report identity theft, the initial
report also triggers two-way communication. Specifically, the victim is given initial
guidance on what steps to take next, and is thereafter frequently updated on the status of
his/her report, including the status of investigations. In this way, the portal serves not only
as a tool to collect complaints and pass those on to the relevant authorities, but can
effectively serve as a single point of contact for the citizen. This can certainly be
highlighted as a viable example of good practice.
8.4.3
Generic reporting mechanisms
Whereas in the United States and in the Netherlands there are reporting mechanisms
dedicated to identity theft, in several other states the competent authorities have set up
generic reporting tools where identity theft incidents can also be reported. Several
categories can be identified:
Online reporting mechanisms for Internet-related crimes/problems
In a number of countries victims or witnesses of any Internet-related offences (including
identity theft) can report them to the authorities through an online form. The reader must
be aware of the fact that in some cases these reporting systems are limited to ‘real’ crimes
(ie, to facts qualified as criminal offences by the law), while in other jurisdictions the
reporting tools can be used also by victims of disruptive behaviours that are not to be
qualified per se as crimes.
Generally speaking, online reporting mechanisms managed by the police or by law
enforcement agencies can only follow up on reports about crimes (eg, the fact that
somebody else creates a fake profile of another person on a social network, without
pursuing defamation or fraud, is therefore excluded); reporting mechanisms managed by
entities other than law enforcement agencies may usually accept reports about identity
theft incidents that are not to be qualified as crimes as such.
The following countries have online reporting mechanisms for Internet-related crimes:
o
Belgium: eCops, a general reporting site for Internet crimes, has been established.
This site is managed by the Federal Judicial Police and it is not directly aimed at
collecting reports of victims of incidents (who should instead directly contact the
police). However, witnesses of Internet-related offences can report them to the
Police using the eCops platform: all reports then will be transferred to the special
Federal Computer Crime Unit of the Federal Judicial Police.
o
Bulgaria: here the site/tool Cybercrime.bg, managed by the Ministry of Interior,
acts as single contact point and incidents related to phishing (and to other
Internet-related crimes as well) can be reported.
o
Greece: the tool Safeinternet.gr, created in cooperation between public and private
sectors, acts as an information portal for the reporting of Internet-based crimes.
107
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
The hotline Safeline.gr, the second pillar of Safeinternet.gr, can be used to report
violations, mainly linked to illegal content on the Internet, but without excluding
all Internet-based crimes and identity theft incidents (when these can be qualified
as criminal offences). Safeline.gr thus is a single contact point to report Internetbased crime incidents in Greek and in English. Reports can be submitted online,
by phone, by mail, by email or by SMS. All reports are then sent to the police and
to the corresponding hotline, if any, in the country of origin of the crime. Several
identity theft crimes can also be reported online to the Hellenic Authority for
Information and Communication Security and Privacy.
o
India: there are several ways to report Internet-related offences in India. These are
the online reporting mechanisms of the Indian Computer Emergency Response
Team, those of the Cyber Crime Investigation Cells across India, and those of the
Cyber Crime police stations (where the service is available). However, these
services collect relatively few reports due to lack of information available to the
public.
o
Italy: the CNAIPIC (Anti-Cybercrime Centre for National Infrastructure
Protection) is a highly specialised cell of the Italian Police, which aims to prevent
and deter cyber-threats. CNAIPIC has exclusive competence to prevent and
investigate crimes concerning ICT systems with a serious impact or that are
relevant to national interests. An operational contact point (managed by the
helpdesk of CNAIPIC) is open 24 hours a day, 7 days a week; it is available for
owners and managers of critical infrastructures and for other entities operating in
the protection of such infrastructures. Therefore the helpdesk is not accessible to
citizens and ordinary users.
o
Japan: the websites of the IT Promotion Agency and of the Internet Hotline
Center provide users with the opportunity to report illegal Internet incidents
(unauthorised accesses, damages to data, etc.), including those related to identity
theft.
o
Romania: the website eFrauda.ro was established to collect complaints about
Internet frauds and cybercrimes (including spam and spyware); however, at the
time of reporting the site was inoperative.
o
United Kingdom: through the portal of Action Fraud, any offline or Internetbased incident relating to fraud (including identity theft incidents and phishing)
can be reported using standardised forms, in order to facilitate the reporting and
effective follow-up of any fraud. Action Fraud is intended for victims and
witnesses of frauds and the data collected are forwarded to the National Fraud
Intelligence Bureau and, when necessary, to local police forces.
The list above focuses on reporting mechanisms for crimes. The following countries have
reporting mechanisms for Internet problems (even when they do not necessarily qualify as
crimes as such):
o
Austria: the reporting tool Stopline.at can be used to report Internet-based
offences relating to (i) child pornography and (ii) promotion of national socialist
ideas. Although in principle the reporting mechanism can be accessed only to
108
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
report the abovementioned offences, it is likely that reports about identity theft
will be forwarded to the general IT-Crime Department of the Federal Criminal
Police, competent for Internet-based crimes.
o
Cyprus: the portal of SafenetCY accepts, processes and forwards reports about all
Internet problems, and addresses not only issues of pornography, but also racism,
gender discrimination and inappropriate use of peoples’ images. Persons can
report any content on the Internet that they believe is illegal or simply
inappropriate or offensive. This includes websites, newsgroups, FTP, emails and
chat rooms. After verification of any alleged illegal content, all reports are
forwarded to the police and to the hotline (if any) in the country of origin of the
illegal content.
o
Ireland: the platform Hotline.ie is a facility to report suspected illegal content
(thus including criminal content, but also related to phishing and identity theft).
o
Finland: incidents related to electronic communications can be reported online to
the Finnish Communications Regulatory Authority.
o
Latvia: it is possible to report problems online to the Computer Security Incident
Response Team (DDIRV), part of the State Information Network Agency.
Consultations and recommendations are available for every person who has
submitted an incident report and DDIRV is responsible for security incident
handling and prevention in the reporter’s network.
o
Lithuania: IT security incidents can be reported online via the general reporting
website of the Lithuanian National Computer Emergency Response Team, which
is part of the Lithuanian Communications Regulatory Authority. However, this
reporting mechanism is not primarily intended for victims of Internet incidents,
who should report them directly to the police.
o
Portugal: unsolicited communications and other malpractices on electronic
communications (including those related to identity theft) can be reported online
to the Telecommunications Regulatory Authority.
o
Romania: phishing incidents can be reported online to the Romanian Computer
Emergency Response Team.
o
Slovenia: incidents linked to malpractices on electronic communications can be
reported online to the Post and Electronic Communications Agency (the report
must be digitally signed by the victim or reporter). Security incidents involving
networks or systems in Slovenia can be reported by email to the Slovenian
Computer Emergency Response Team Constituency.
Online reporting mechanisms for all offences
Online reporting mechanisms for crimes in general (thus not only Internet-related facts,
but all offences) can also be useful tools in combating identity theft. These online
mechanisms are generally managed by national or local police forces and collect complaints
about facts, qualified as criminal at least prima facie by the reporter, that need further
investigation.
109
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
Electronic reporting of offences via the website(s) of the police is possible in:
o
Finland, via generic police department sites.
o
Hungary, where online reporting at the crime prevention website of the police is
possible; more direct online reporting of crimes to the police will be soon
implemented in the framework of e-Government reforms.
o
Italy, where the online reporting of crimes to the police implies the instant
opening of a crime report and where crimes specifically related to the
telecommunications and postal service can be reported by email to a special
department of the police.
o
Lithuania, where incidents can be reported online by victims via the website of the
so-called Cyberpolice.
o
Luxembourg, where crimes can be reported online to the police, although the
report must be then completed in the office of a law enforcement body by a
physical complaint.
o
Malta, where online reporting to the Malta Police Force is possible. It is also
possible to provide the police with general information about a fact without
formally reporting a crime. If a crime has been reported, there is the possibility for
the reporter to follow-up any file and to obtain information from the police about
the reported incident.
o
Russia, where crimes can be reported through the portal of the police, which acts
as point of contact for reporting any offence using standardised user-friendly
forms. All registered statements and reports related to crimes and violations in
computer information, Internet or other networks (including digital identity theft)
are passed on to regional specialised and dedicated ‘K’ departments of the Ministry
of Internal Affairs according to where these statements were registered.
o
Slovenia, where online reporting of offences to the Ministry of Interior through
the e-Government portal is possible (reports must be signed with the digital
signature of the reporter).
o
Spain, where crimes can be reported by email to the national police and online
(and by email) to the Civil Guard. However, according to Spanish law, victims of
crimes should always report the incidents in person, and thus the usage of online
reporting tools would not be legally adequate. Cases of phishing can be reported
by email to the Internet Domain Names Registry; however, victims should also
follow the normal procedure with the police as reporting to the Registry is not
enough to initiate formal investigations.
The examples above show that police forces play a notable role in many countries in
collecting reports about identity theft incidents and in opening investigations. If such
incidents do not involve a crime, other actors may be involved, namely administrative
bodies. The role of national Data Protection Authorities (DPAs) should be examined
specifically in dealing with identity theft incidents, provided that, generally speaking, such
incidents involve the violation of data protection laws as noted above, and therefore their
perpetrators could at least in theory be sanctioned for this by the competent DPA.
110
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
In some jurisdictions identity theft incidents, when they involve the unlawful processing of
personal data (as is normally the case), can be reported online to the national DPA, which
will then start investigations. This may happen, inter alia, in Bulgaria, Finland, Greece,
Latvia, Lithuania, Poland and Slovenia.
In these countries it is of course necessary that the coordination between the different
bodies and authorities involved is efficient, in order to avoid overlaps and double actions
by different authorities to investigate the same incident. This applies also to countries
where the intervention of the DPA can be requested offline – in this sense it would
certainly be more efficient to have a single point of contact for identity theft incidents, as
in the United States and in the Netherlands.
As a matter of nuance however, it is worth noting that no case law has been identified
where a DPA has issued sanctions to identity theft perpetrators. While this may be simply
a matter of a ‘dark number’ (as such sanctions may not necessarily be made public), it is
equally possible that such sanctions are rare in practice. Thus, the effectiveness of DPAs as
an avenue for combating identity theft is uncertain.
8.4.4
Other reporting mechanisms and informative sites
Some countries have developed other systems to combat identity theft and to manage
reports about these incidents. In Canada, for instance, there are multiple points of
information and only a few are dedicated to identity theft. There are, however, several
phone hotlines and online filing systems managed by government departments and private
entities where identity theft incidents can be reported. These tools only provide guidance
on how to protect against identity theft and do not coordinate the further process (eg,
investigations, notifications to the reporter, etc.) after the reporting itself.
In China, although in principle all offences must be reported directly to the police, some
non-governmental reporting mechanisms have been established in some regions (worth
mentioning is the Anti-Phishing Alliance, which combines several business organisations).
However, these provide reporters with information and technical solutions rather than
with any legal follow-up. A notable role is played by the reporting site of the Internet
Society of China. This maintains an online Illegal and Inappropriate Information
Reporting Center. People may report phishing or other illegal websites to the Center. The
Center will then forward the received reports to the competent authorities, such as the
police.
In Denmark, similarly, there is no general identity theft reporting mechanism, but all
Danish banks have a reporting tool for problems with passwords and banking credentials.
Denmark thus represents a good example of country where private entities (banks) set up
reporting mechanisms for identity theft incidents. Banks will then forward the reports to
the competent authorities: this system has the advantage that victims of identity theft
incidents, at least when banking data are concerned, know immediately to whom such
offences can be reported, as it will be more intuitive to an identity theft victim to refer to
his/her own bank in case of troubles with password, credit card data, etc.
Another example of private parties playing a supporting role in identifying and combating
identity theft incidents is consumers’ associations. These can also take the initiative to
report identity theft incidents to competent law enforcement agencies (eg, in Italy), or in
111
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
other countries (eg, Latvia) it may be possible to report incidents directly to such
associations.
Finally, it is worth pointing out the importance of information (and awareness-raising)
campaigns and informative websites, where consumers and businesses can find information
about the risks of identity theft and about how these can be prevented and reported, even
if the sites themselves offer no reporting mechanisms. Examples of extensive informative
sites about identity theft can be found in Belgium, the Czech Republic, Denmark, Estonia
(where information about identity theft crimes is available on the website of the police, to
which these incidents must be reported), France (where awareness campaigns have been
carried out by French banks and other non-governmental organisations), Germany,
Greece, Japan (where the National Police Agency provides users with consultation services
about Internet safety and security, and where there are many other informative sites),
Lithuania, Luxembourg (where competent public authorities carry out informative sessions
about identity theft risks at schools), Malta, The Netherlands, Romania, Russia (where
there are informative sites of regional police offices and of other public and private
entities), Spain (where, in addition, an Online Fraud Repository is available), Sweden and
the United Kingdom. These sites can play a crucial role in ensuring that consumers are
made aware of identity theft risks and of appropriate follow-up mechanisms.
8.4.5
Cross-border collaboration and international reporting mechanisms
Transcending the strictly national perspective, it has to be highlighted that national
reporting mechanisms (and subsequent actions) should ideally be coordinated at the
European and international level. This coordination should allow the exchange of general
identity-related information (eg, characteristics of official ID documents, where to find
competent authorities) and should facilitate cross-border investigations.
In terms of the exchange of identity-related information, there are sites that disseminate
information about official ID documents with the aim of providing authorities and citizens
with useful information about national ID cards and of providing them with the
opportunity to verify the identity of people they have to deal with. This is precisely the
scope of the PRADO system (‘Public Register of Authentic Identity and Travel
Documents Online’), which is a website with information about the security features of
identity documents of countries within the European Union and the European Economic
Area. The system is managed by the Council of Europe and is based on the European
Image-Archiving System FADO (‘False and Authentic Documents Online’), created by the
Council Joint Action 98/700/JHA of 3 December 1998.89
Such European initiatives are also reflected in national tools, such as in Belgium, where
citizens can verify whether Belgian identity documents (passport, identity card, residence
permit with chip) are valid or not through the website checkdoc.be.
European initiatives are also pivotal as regards the exchange of data between national
authorities. The information gathered through national reporting mechanisms, given the
frequent transnational nature of cybercrime, will often need to be exchanged among law
89
As of 28 January 2011, available at:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1998:333:0004:0007:EN:PDF
112
RAND Europe & time-lex
Chapter 8 Analysis of country summaries and recommendations
enforcement agencies: this is the aim of the recently established European Cybercrime
Platform (ECCP), managed by Europol, which would act as an information hub, analysing
and exchanging with national law enforcement authorities information relating to
cybercrime falling under Europol’s mandate.
ECCP will be complemented by national Cybercrime Alert Platforms that collect
information to be shared: according to available data almost all Member States have
established national alert platforms, while Europol is working on its EU Cybercrime
Platform. In practice, the tool implies that national platforms receive citizens’ reports
about illicit content or behaviour detected on the Internet and that Europol’s EU
Cybercrime Platform receives law enforcement authorities’ reports on serious cross-border
cybercrime.90 Identity theft reporting mechanisms could thus conceivably ‘plug in’ to
generic national cybercrime platforms, or even directly into the EU-level platform.
The relevance of supra-national initiatives such as ECCP can be fully understood if one
considers that identity theft often is perpetrated by international criminal organisations in
the framework of illegal activities such as fraud, terrorism, human trafficking, etc. All these
serious threats to individual and collective freedoms and security need to be tackled from a
(at least) European perspective: this is underlined in the EU strategy document ‘The
prevention and control of organised crime: a strategy for the beginning of the new
millennium’,91 implemented inter alia by the Council Decision 2001/427/JHA of 28 May
200192 that sets up a European Crime Prevention Network. A role in the field is also
played by the Multidisciplinary Group on Organised Crime that has the task of
coordinating and developing the strategic concept of the European Council in fighting
organised crime (as emerged from the results of the Seminar on Organised Crime held in
The Hague on 10 and 11 June 2004).93
90
For further information see (as of 28 January 2011):
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/349&format=HTML&aged=0&languag
e=EN&guiLanguage=en
91
Official Journal C 124 of 3/5/2000
92
As of 28 January 2011, available at:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001D0427:EN:HTML
93
See (as of 28 January 2011): http://register.consilium.europa.eu/pdf/en/04/st13/st13463-re02.en04.pdf
113
CHAPTER 9
9.1.1
Conclusions and recommendations
Key findings
Looking at the legislation identified in the country reports, it is clear that only a minority
of countries presently have enacted specific identity theft legislation. Traditional
provisions, notably with respect to fraud, forgery, and cybercrime, are generally applied to
address identity theft instances.
Based on the case law presented, it is not evident that this lack of specific regulations
presents significant difficulties in practice: appropriate criminal classifications were found
to exist for each of the five chosen scenarios in each of the examined countries. While
actual case law is not as prevalent as could have been hoped for, it nonetheless showed that
traditional legal qualifications (notably fraud) are commonly applied to instances of
identity theft. Thus, the country reports do not support a notion that there is a clear legal
vacuum to be filled in order to be able to effectively combat identity theft.
The reports also highlighted that there is a significant disparity in the qualifications and
sanctions applied in each case. Partially this can be explained by the differences in case
details, but it is certainly also the result of the conscious policy choice to leave the
determination of appropriate sanctions to specific crimes as a part of Member State
autonomy. As such, this is not an issue unique to identity theft.
The viability of establishing a common EU wide concept of identity theft and/or a
common punishment policy depends largely on whether or not the threshold of
subsidiarity which enables European policy intervention can be addressed. Policy
intervention may be more clearly warranted if unacceptable inconsistencies between
national laws or policies would be identified that risk overburdening the courts or law
enforcement bodies of some Member States due to the inaction of their neighbours, or due
to the inability to effectively address identity theft in the absence of joint EU level
intervention. The current report does not directly support that there is a universal need for
EU action, since no instances have been identified where an act of identity theft as
described in Chapters 1 and 2 of this report could not be punished at the national level.
When considering EU level intervention, it is important to acknowledge and consider the
challenges in proposing such a common concept of identity theft, including notably what
activities the concept really aims to criminalise, which (if any) unintended side effects may
occur on the basis of proposed definitions, and how new proposals might relate to existing
laws, including the evolving European Legal Framework for Privacy and Data Protection
and cybercrime regulations such as the aforementioned Framework Decision on Attacks
Against Information Systems and the Council of Europe Convention on Cybercrime.
114
RAND Europe & time-lex
Chapter 9 Conclusions and recommendations
With respect to reporting mechanisms, the analysis above shows that while many of the
examined countries have implemented them in some form or other, their scope and
function varies quite widely. Currently, the spectrum includes sites focusing on identity
theft, on cybercrime in general, and on any crime; sites that offer online reporting or that
only support offline reports; sites operated by private parties and sites operated by public
authorities; and sites that can be used to initiate criminal investigations or that only
provide recommendations and tips to victims. Generally, the interactivity of these sites is
still quite limited in the sense that reporting individuals are not typically informed of how
their reports will be treated, and the cross-border dimension of many identity theft
incidents is still largely not addressed by the reporting mechanisms, which do not allow
reports to be transmitted to investigative authorities in other Member States. Thus, there is
certainly still room for improvement on this point, especially considering that the
reporting mechanisms could also be used as a useful data collection tool, which could
contribute to the emergence of a common understanding of identity theft and its
prevalence at the EU level.
9.1.2
Conclusions with respect to legislation
The analysis above shows that there is currently no homogenous approach to the topic of
identity theft as such among EU Member States, but that all of them have similar (or only
partially divergent) rules in the field of fraud, forgery, data protection, etc.
Collectively these may well prove to be adequate to address identity theft in practice,
considering that preparatory acts to identity theft (collecting and trading identity
information or documents) will normally run foul of data protection laws, and that
subsequent uses of such material will fall under one of the other classifications examined
above. From the practical perspective, then, the need for new criminalising regulations is
not evident based on the observations above. However, it should be acknowledged that
certain weaknesses still exist in the current regulatory framework with respect to identity
theft, notably:
•
The fact that there appears to be no consensus on the existence of any regulatory
vacuum; while the French example demonstrates that there is at least one Member
State that feels that there is a gap to be filled, this perception is not necessarily
shared by other Member States.
•
The fact that other possibly applicable provisions (notably including fraud,
forgery, and their computer-related variations) are not fully harmonised. While
this is a conscious policy choice made by existing initiatives which intended to
bring these regulations closely together but not make them fully identical, it may
have the side effect of making some instances of identity theft illegal in some
Member States and not in others.
•
The fact that the theoretical safety net provided by data protection regulations
depends on the existence of effective enforcement strategies in the Member States,
and that such enforcement strategies are certainly not standard practice.
Thus, while no clear regulatory gap is evident from the examined evidence, this issue
largely depends on how identity theft is identified, and how broadly one wishes to
criminalise specific behaviour, especially in the absence of harm to the victim and outside
115
RAND Europe & time-lex
Chapter 9 Conclusions and recommendations
the context of existing crimes. The examples examined above (eg, the French regulation)
may not be universally supported by all Member States, given the relatively broad wording
that may lead to diverging interpretations. As a result, it may prove to be challenging to
find an agreement between the Member States on the definition and limits of any new
identity theft offence.
EU initiatives in this area should thus duly consider what activities they really aim to
address, which (if any) unintended side effects may occur on the basis of proposed
definitions, and how new proposals relate to existing laws, including the Data Protection
Directive and cybercrime regulations such as the aforementioned Framework Decision on
Attacks Against Information Systems and the Council of Europe Convention on
Cybercrime.
9.1.3
Conclusions with respect to case law
It is clear that the case law presented in the country reports represents only a single data
point for each country (as it was collected via a single correspondent), and therefore that it
should not be considered as comprehensive. The main conclusion is that appropriate
criminal classifications exist for each of the five chosen scenarios in each of the examined
countries. Actual case law is less prevalent, but when available, it shows that traditional
legal qualifications (notably fraud) are the typical response to incidents of identity theft.
Thus, the country reports do not support the contention that there is a clear legal vacuum
to be filled in order to be able to combat identity theft.
It is also clear, however, that there is a significant disparity in the sanctions applied in each
case, but as has already been noted above, this is the result of both the differences in case
details and of the conscious policy choice to leave this autonomy to the Member States;
thus, it is not a challenge unique to identity theft.
9.1.4
Conclusions with respect to reporting mechanisms
It seems that a many of countries covered by the present study have adopted online tools to
allow victims (and/or witnesses) to report crimes in general and in a smaller number of
instances, identity theft incidents. In many jurisdictions, as pointed out above, it is not
possible to report identity theft cases if they cannot be qualified as crimes of if they do not
violate data protection legislation. However, based on the analysis of the five scenarios used
in the country reports, in most cases identity theft incidents are likely to be qualified either
as criminal offences or as privacy violations.
The spectrum of possibilities offered by the jurisdictions analysed in this Study is very
wide, and it ranges from online ad hoc identity theft reporting mechanisms to an absolute
absence of reporting mechanisms and to websites focusing on cybercrime, identity theft or
fraud in general.
In the middle of this spectrum, we encountered opportunities to report offline identity
theft incidents via dedicated channels (The Netherlands), to report online crimes to the
competent law enforcement agencies and/or to the competent privacy/telecommunications
authority, and to report offences to the abovementioned authorities exclusively offline (the
Czech Republic, where, however, there exist dedicated informative sites). It should also be
acknowledged that in some countries, like Denmark, private bodies with an existing
business relationship with the victims (in this case banks) can play a strong complementary
116
RAND Europe & time-lex
Chapter 9 Conclusions and recommendations
role by collecting reports about identity theft incidents and forwarding them to the
competent authorities.
Every system has its strengths and its weaknesses. In general, however, from a good practice
dissemination perspective it would seem advisable that each country should establish at a
minimum a single online reporting mechanism where identity theft incidents can be
reported. This can be either a dedicated identity theft reporting site, or a more generic
incident reporting site; in the latter case it would be advisable to ensure that victims (or
simply concerned citizens) can find sufficient information on identity theft threats and
appropriate follow-up actions on their part. The effort of the public authorities in
Luxembourg to educate pupils at school about these issues is an interesting example of a
proactive approach. Citizens who know the risks are of course the first, and best, defence
against fraudsters and other online criminals.
From a more prospective perspective, it is worth noting that only one of the examined
reporting sites (namely the Dutch one) triggers two-way communications by allowing the
victim to stay informed about the follow-up given to a specific report (if any). In the
Netherlands, tri-weekly update reports are made available to the victim (although this does
not appear to involve the reporting website as such). Such two-way communication
facilities can be considered a good practice, to remove the ‘black box’ impression that most
current reporting mechanisms have: once a complaint is filed, it is often unclear to the
reporting individual what follow-up (if any) is given to the complaint.
A second and more obvious observation is the need to ensure the proper integration of
these national reporting mechanisms into a European-level system to facilitate cross border
investigations. The establishment of a single EU-level reporting site might be a worthwhile
avenue for exploration, as would the use at the national level of harmonised reporting
forms/questions, which would further facilitate cross-border investigations.
Finally, the frequent use of such reporting mechanisms would also support the more
systematic collection of statistical data on identity theft, including the prevalence of
specific categories of identity theft, their consequences to the victim, and possibly the
outcome of any investigations. Such data is now largely unavailable at the national level,
and largely incomparable at the European level even when it exists. Improving the
availability of statistical data would improve awareness of identity theft risks, increase
know-how, and facilitate policymaking at the national and European level, if implemented
in a sufficiently homogeneous way across the Member States.
9.2
Recommendations
This then brings us to the problem of where best to intervene at the EU level, since the
cross-border potential of these forms of misuse (especially where identity theft and
identity-related crimes are linked to organised crime, money laundering or terrorism)
requires concerted action amongst Member States but also at the EU level, and even
internationally.
The complexities of bringing into force a single pan-European instrument are not
insignificant, primarily because this would require a common understanding of the scope
of the concept of identity theft. As Chapter 1 shows, a generally agreeable definition of
117
RAND Europe & time-lex
Chapter 9 Conclusions and recommendations
identity theft remains elusive amongst practitioners, experts and academics. It seems that
many on the front line take the view that ‘we know identity theft when we see it’ but of
course this approach has its limits: whilst it may be sufficient for police and operational
level coordination, cross-border cases require a rather clearer understanding.
Nonetheless, the evidence presented in this report suggests that key policy priorities should
revolve around the sharing of best practices and improving communication. The examined
scenarios in the country reports generally do not indicate that there is a clear legal vacuum
to be filled, nor do the comments provided by the correspondents or the analysis above.
Obviously, however, the question of the existence of any regulatory vacuum depends on
how one chooses to define identity theft; thus, the emergence of a common understanding
of this concept might also clarify if any gap exists. On the basis of existing regulations,
policies and case law, there does not appear to be a universal perception among the
Member States that there is such a regulatory vacuum to be filled.
In contrast, the improvement of communication is a recurring theme, which applies both
to exchanges between victim/investigator, and between investigators in different Member
States. Setting up ‘one-stop shops’ is a key part of the solution, as these allow identity
victims to more easily report identity crimes, and can also act as a communications device
to enable investigators to keep the victims updated on the status of specific investigations.
Indeed, such an approach is reflected in the Stockholm Programme where the European
Commission was invited to take measures to enhance/improve public-private partnerships.
A second pivotal point is the collaboration between national investigative bodies through
an EU contact network, as is foreseen in Council Framework Decision 2005/222/JHA, at
least for electronic identity theft, and in the Council Conclusions of March 2010 on
implementing a concerted strategy to combat cybercrime, which envisages a variety of
softer measures such as:
•
The consolidation and if necessary updating of the functions of the European
Cybercrime Platform (subsequently elaborated in the remit of Europol’s European
Cybercrime Task Force and the Internet Crime Reporting Online System
(ICROS).
•
Foreseeing a permanent liaison body with user and victim organisations and the
private sector.
These should facilitate interactions at the European level, which would improve the
effectiveness of European-scale investigations, with the additional benefit that such
experiences could be extended to other categories of criminal investigations. Further down
the road, it is equally important to extend this approach to other countries (as foreseen in
the Convention on Cybercrime), which will require renewed policy attention on this
point.
Finally, identity theft also clearly faces the challenge of policy priority. This is not a matter
of putting in place suitable legislation (which law applies) or addressing operational
challenges (who to talk to in international investigations), but simply a matter of
prioritisation: which cases of identity theft and fraud are worth investigating and
prosecuting? The question is not trivial. Especially in international cases with an Internet
component (eg, creation of false identities to enable fraud), investigations can be complex
118
RAND Europe & time-lex
Chapter 9 Conclusions and recommendations
and very time consuming, and as a consequence also very expensive. The country reports
identified several instances where cases were not followed up, simply because of a real or
perceived disproportion between the harm suffered by the victim and the resources
required to take action (especially considering the uncertainty of the outcome beforehand).
This is, however, a challenge that applies to most categories of international crime,
especially those conducted via the Internet, where traces are often easier to hide by a skilled
criminal.
Here, too, a common position needs to be found at the international level, since
differences in investigation and prosecution priorities between countries will only lead to
investigations in one country being blocked if they are not considered important enough to
investigators in a different country.
Based on this approach, reporting of identity theft incidents could be improved, as could
the follow-up of complaints and the effectiveness of international investigations.
Our study illustrates that at the national level, despite the absence of a single pan European
instrument governing identity theft, there is little evidence of significant gaps in legislative
responses to identity theft incidents. However, there remain a number of challenges in
respect of implementation and interpretation of existing legal frameworks with respect to
identity theft and identity related crime, most notably the applicability of existing rules
with respect to e.g. fraud or forgery to such incidents, and the disparities observed in nonlegal responses (e.g. presence of and efficacy of reporting points, awareness campaigns and
so on). Arguably, as the UNDOC report illustrates, such non-legal responses may be
considered a more effective route to addressing these forms of misuse.94 In large part, this is
a question of reducing the opportunity for identity theft and identity related crime in the
first instance, by governments acknowledging the limits of their own responsibility and
putting in place effective educative and awareness raising tools to encourage individuals to
take responsibility.95 In effect, policy focus in this area may be better served on the basis of
‘helping people to help themselves’, whilst noting the specific opportunities for public
policy intervention (e.g. in strengthening identity infrastructures).
If any further European intervention would be considered to improve the effectiveness of
national or European responses to identity theft, the evidence suggests of this stock taking
study suggests that (a) non-legal responses should be a large priority of any policy approach
rather than focusing on the definition of a new subtype of crime; (b) that there is currently
no common understanding of the notion of ‘identity theft’ which will make the drafting of
a clear common definition extremely challenging; and (c) that there is a substantial risk of
overlap with existing criminal provisions, notably with respect to fraud and/or forgery,
when attempting to define new crimes. Ensuring consistency in national criminal law
enforcement is therefore of paramount importance.
Based on these observations, any regulatory initiatives aiming to introduce new criminal
concepts into national criminal law should undergo a formal regulatory impact assessment
to determine if/how these issues can be addressed in a satisfactory manner.
94
Chryssikos et al. (2008), p.93
95
Felson, M. and Clarke, R.V (1998)
119
RAND Europe & time-lex
Chapter 9 Conclusions and recommendations
120
REFERENCES
121
RAND Europe
National Profiles
Reference List
Australian Bureau of Statistics (2008), ‘Personal Fraud: Nearly $1 billion dollars lost to
Personal Fraud in Australia,’ press release citing the Personal Fraud 2007 study (cat. no.
4528.0). As of 28 January 2011:
http://www.abs.gov.au/ausstats/[email protected]/Products/4500.0~2008~Main+Features~Crime?
Canadian Department of Justice, ‘Identity Theft: Consultation on Proposals to Amend the
Criminal Code,’ Criminal Law Policy Section, June 2006. [Cited in Sproule and Archer
(2007)]
Choo, K-K.R., R.G. Smith & R. McCusker (2007), ‘Future directions in technologyenabled crime: 2007–09,’ Australian Government, Australian Institute of Criminology.
Chryssikos, D., N. Passas, & C.D. Ram (eds.) (2008), ‘The evolving challenge of identity
related crime: addressing fraud and the criminal misuse and falsification of identity,’
International Scientific and Professional Advisory Council of the United Nations Crime
Prevention and Criminal Justice Programme (ISPAC), Milan.
CIFAS (2010), ‘2009 Fraud Trends,’ press release. As of 28 January 2011:
http://www.cifas.org.uk/default.asp?edit_id=969-57
CIMAP (2007), Identity Fraud Trends and Patterns: Building a Data-Based Foundation for
Proactive Enforcement, Utica.
Clark, R. (1994), ‘Human Identification in Information Systems: Management Challenges
and Public Policy Issues,’ Information Technology and People 7:6–37. As of 28 January
2011: http://www.rogerclarke.com/DV/HumanID.html
Collins, J.M. (2003), ‘Business Identity Theft: The Latest Twist,’ Journal of Forensic
Accounting 1524–5586/Vol. IV:302–06. As of 28 January 2011:
http://www.auditnet.org/articles/jfa-collins.pdf
Collins, J.M. (2005), ‘Preventing Identity Theft in Your Business.’ Hoboken, NJ: John
Wiley and Sons.
Cybertrust and Crime Prevention (2004): Gaining Insights from Three Different Futures
Final Report to the Foresight Directorate, UK Office of Science and Technology, 10 June
2004 available at http://www.foresight.gov.uk CTCP
Dutch Ministry of Justice (2003), Hoofdlijnen kabinetsbeleid fraudebestrijding 2003–2007.
122
RAND Europe
Reference List
Felson, M. and Clarke, R.V.(1998), ‘Opportunity Makes the Thief: Practical theory for
crime prevention,’ Webb, B (ed); Policing and Reducing Crime Unit Police Research Series
Paper 98; Home Office; Research and Statistics Directorate; London
FIDIS, 2006, ‘D5.2b: ID-related Crime: Towards a Common Ground for
Interdisciplinary Research,’ R. Leenes (ed.). As of 28 January 2011, available at:
www.fidis.net
FIDIS, 2009, ‘D3.17: Identity Management Systems – recent developments.’ M. Meints
& H. Zwingelberg (eds.). As of 28 January 2011, available at: www.fidis.net
Fraud Prevention Expert Group (FPEG) (2007), ‘Report on Identity Theft/Fraud.’ As of
28 January 2011: http://ec.europa.eu/internal_market/fpeg/docs/id-theft-report_en.pdf
Gercke (2007), ‘Internet-related identity theft: A discussion paper prepared by Marco
Gercke (Germany)’ Council of Europe; Strasbourg as at 25 January 2011:
http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/contributions/Internet
_related_identity_theft_%20Marco_Gercke.pdf
Gordon, G.R., N.A. Willox, D.J. Rebovich, T.M. Regan & J. B. Gordon (2004), ‘Identity
Fraud: A Critical National and Global Threat,’ Journal of Economic Crime Management
2:1–47.
Grijpink, J.H.A.M. (2003), ‘Identiteitsfraude als uitdagiing voor de rechtstaat [Identity
Fraud as a Challenge to the Rule of Law],’ Privacy & Informatie, 148.
IAAC (2009), ‘Identity Assurance Concluding Report 2009’ Information Assurance
Advisory Council, Swindon As of 26 January 2011:
http://www.iaac.org.uk/research/concluding_rpt.html
Javelin (2005), ‘2005 Identity Fraud Survey Report (Complimentary Overview),’ Javelin
Strategy & Research, Pleasanton, CA. [Cited in Sproule and Archer (2007)]
Javelin (2009), ‘2009 Identity Fraud Survey Report (Complimentary Overview)’, Javelin
Strategy & Research, Pleasanton, CA
Knopjes, F. (2009), European Identity Systems: A Comparative Study, Lisbon.
Koops, B.J. & R. Leenes (2006), ‘Identity Theft, Identity Fraud, and/or Identity-related
Crimes.’ Datenschuts und Datensicherheit 30/9:553–56.
Lacey, D. & S. Cuganesan (2004), ‘The Role of Organizations in Identity Theft Response:
The Organization-Individual Victim Dynamic,’ The Journal of Consumer Affairs 38:244–
61.
Liberty Alliance Project (2005), ‘Liberty Alliance Whitepaper: Identity Theft Primer.’ As
of 28 January 2011:
http://www.projectliberty.org/liberty/content/download/376/2687/file/id_theft_primer_fi
nal.pdf
Mitchison, N., M. Wilikens, L. Breitenbach, R. Urry, & S. Portesi (2004), ‘Identity Theft
– A discussion paper.’ Italy: European Commission, Directorate-General, Joint Research
Centre.
123
RAND Europe
Reference List
Morris, S. (2004), ‘The Future of Netcrime Now,’ UK Home Office Online Report
62/04. As of 28 January 2011: http://rds.homeoffice.gov.uk/rds/pdfs04/rdsolr6204.pdf
Neumann, P.G. (1997), ‘The Social Security Internet Website: Technology and Privacy
Implications’ as of 28 January 2011: http://www.csl.sri.com/users/neumann/ssa.html
Newman, G.R. & M.M. McNally (2005), ‘Identity Theft Literature Review,’ vol.
Document No. 210459, U.S. Department of Justice.
Cave, J., Oranje, C., Schindler, H.R., Shehabi, A., Bruscher, P-B., Robinson, N. (2010)
Trends in connectivity technologies and their socioeconomic impacts: Final report of the
study: Policy Options for the Ubiquitous Internet Society; TR-776-EC; Santa Monica,
RAND
Organisation for Economic Co-Operation and Development (OECD) (2008), ‘OECD
Policy Guidance on Online Identity Theft’.
Organisation for Economic Co-Operation and Development (OECD) (2009), ‘Online
Identity Theft.’ As of 28 January 2011:
http://browse.oecdbookshop.org/oecd/pdfs/browseit/9309021E.PDF
Olsen, E. (2002), ‘Personal Identity’ in The Stanford Encyclopaedia of Philosophy, ed. E.N.
Zalta, Stanford, USA. As of 28 January 2011: http://plato.stanford.edu/entries/identitypersonal/
Perl, M. (2003), ‘It’s Not Always About the Money: Why the State Identity Theft Laws
Fail To Adequately Address Criminal Record Identity Theft,’ Journal of Criminal Law and
Criminology Fall 2003:169–208.
Romanosky, S. et al. (2008), Do Security Breach Laws Reduce Identity Theft?, Heinz First
Research Paper.
Savona, E.U. & M. Migone (2004), ‘The Fox and The Hunters: How IC Technologies
Change the Crime Race,’ European Journal on Criminal Policy and Research 10:3–26.
Schneier, B. (2004), ‘Mitigating Identity Theft.’ As of 28 January 2011:
http://bt.counterpane.com/identity-theft.html
Sproule, S. & N. Archer (2007), ‘Defining Identity Theft,’ Paper presented at the Eighth
World Congress on the Management of eBusiness (WCMeB 2007), 11–13 July 2007. As
of 28 January 2011:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&isNumber=4285291&arnumber=4285319
UK Cabinet Office (2002), ‘ID Fraud: A Study,’ London.
World Privacy Forum (2006), ‘Medical Identity Theft: The Information Crime that Can
Kill You.’ As of 28 January 2011:
http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf
124
RAND Europe
National Profiles
APPENDICES
125
RAND Europe
National Profiles
Appendix 1: National Profiles
Table A.1: List of correspondents
Country
Correspondent
Australia
James Forsaith, RAND Europe
Austria
Dr Max W. Mosing LLM LLM
Attorney At Law / Partner
Gassauer Fleissner Rechtsanwälte GmbH
Belgium
Hans Graux, time.lex Law Offices
Bulgaria
George Dimitrov, Dimitrov, Petrov & Co Law Offices
Canada
Lisa Klautzer, RAND Corporation, Santa Monica
China
Dr Prof Hong Xue, Director of the Institute for the Internet
Policy & Law, Beijing Normal University
Cyprus
Olga Georgiades, Lexact Business & Legal Solutions
Czech
Republic
Tomas Schollaert, Kines Law Offices
Denmark
Dr Henrik Udsen, University of Copenhagen
Estonia
Evelin Pärn-Lee, Sorainen Law Offices
Finland
Juhani Siira, Sorainen Law Offices
France
Fanny Coudert, time.lex Law Offices
Germany
Christoph Fey, Unverzagt-von Have Law Offices
Greece
Eleni Kosta, time.lex Law Offices
Hungary
Dr András Gerencsér
India
Dr Ponnurangam Kumaraguru, Assistant Professor, Indraprastha
Institute of Information Technology, Delhi
Ireland
Prof Maeve McDonagh and Dr Fidelma White, University
College Cork
Italy
Dr Gianluca Ansalone
Japan
Prof Yoshifuma Okada, Assistant Professor, Senshu University,
Tokyo
Latvia
Agris Repss and Inese Rendeniece, Sorainen Law Offices
126
RAND Europe
National Profiles
Lithuania
Sergejs Trofimovs and Renata Beržanskienė, Sorainen Law Offices
Luxembourg
Claire Léonelli, Molitor, Fisch & Associés Law Offices
Malta
Paul Gonzi and Antonio Ghio, Fenech and Fenech Law Offices
The
Netherlands
Isa Dora Tytgat, time.lex Law Offices
Poland
Dr Dariusz Adamski, University of Wrocław
Portugal
Dr Pedro Simões Dias
Romania
Peter Buzescu, Buzescu Ca. Law Offices
Russian
Federation
Stanislav Semiletov, RANS
Slovakia
Zuzana Halásová
Slovenia
Dr Alenka Žužek Nemec, Dept. of International Relations,
Ministry of Public Administration
Spain
Cristina De Lorenzo, Sánchez Pintado & Núñez Law Offices
Sweden
Prof Christine Kirchberger, Swedish Law and Informatics
Research Institute, University of Stockholm
United
Kingdom
Prof Michael Levi, University of Cardiff
United States
Lisa Klautzer, RAND Corporation, Santa Monica
Scope and Structure of the National Profiles
The national profiles should provide a clear and concise overview of laws that could apply
to identity theft crimes, an indication of how they are applied in practice, and the existence
of any reporting mechanisms (such as websites).
For the purposes of the national profiles, identity theft is defined as any action in which a
party acquires, transfers, possesses, or uses personal information of a natural or legal person
in an unauthorised manner, with the intent to commit, or in connection with, fraud or
other crimes.96
Key elements include:
•
•
96
malicious intent: the perpetrator has to act with the intent of committing criminal
actions (after taking on the identity of the victim)
consciously: the perpetrator has to intentionally (knowingly) take on the ‘false’
identity
OECD (2008)
127
RAND Europe
•
•
•
•
National Profiles
create a semblance: any form that tricks a third party in believing that the
perpetrator is indeed the victim is included
another one’s identity: the use of one’s own identity is not ID fraud
using: only actual use, not merely possession, of the acquired identity is what
constitutes fraud
existing or non-existing: identities of both living and dead, existing or fictitious
identities can be used.
By way of example, the following incidents are considered instances of identity theft:
•
•
•
•
•
•
•
•
Phishing, ie, using emails and/or falsified websites to trick users into giving up
identity information (eg, bank account numbers or passwords)
Abuse/forgery of identity documents (eg, creating false passports)
Spyware used to obtain identity information (eg, installing a computer
programme that records which usernames and passwords are used and
communicates these to a hacker)
Electronic communication interception (eg, logging email exchanges with the
intent to use them for fraud)
Phone and email scams in which the perpetrator uses a false identity
Trafficking in personal information (eg, selling databases of credit card numbers;
Falsifying signatures on a legal document)
Skimming (ie, using a credit card reader (skimmer) to swipe and store credit card
numbers without the victim’s knowledge).
The following sections in relation to identity theft are expected to be included in each
national profile:
-
-
-
-
Applicable laws: in this section, the correspondent will be asked to identify the main
laws which apply to identity theft incidents in his/her country. Given the very broad
scope of the identity theft concept, the emphasis will be on identifying any laws that
were explicitly created to define identity theft (which may not exist in all countries)
and on a specific selection of commonly applicable laws, as will be identified below.
References to the laws must be provided, along with a short summary of the applicable
provisions.
Application in practice: a short overview should be provided of how these laws are
applied in practice, on the basis of a short selection of identity theft incidents. If
specific case law is available, the correspondents are requested to provide references
and summaries; if not, then an indication of whether they consider specific laws to be
applicable will be sufficient.
ID theft reporting mechanisms: the correspondent should identify any existing or
planned reporting mechanisms (websites) such as one-stop shops, hotlines or portals.
Particular attention is to be directed to identify the existence of one-stop shops
dedicated exclusively to identity theft; however, websites focusing on cybercrime or
fraud in general may be reported as well if they also partially cover identity theft.
Assessment: finally, the correspondent is asked to provide his/her personal appreciation
of the national situation.
128
RAND Europe
National Profiles
National correspondents are required to maintain the structure outlined above, and may
not omit or disregard any sections. The exact contents will be covered in further detail
below.
The expected total size of each profile is 4 to 8 pages.
Relevant sources and references
The national correspondents are requested to include references to the sources that they
have consulted, in particular online sources (when available) and any consulted contact
persons (if applicable). A useful starting point for some countries may be the FIDIS
Identity Law survey (see https://idls.rechten.uvt.nl/), although it should be noted that this
information is not comprehensive (not all countries are covered) and not necessarily up to
date.
Whenever referring to national legislation or institutions, the correspondents are required
to provide the local name as well as an English language translation.
129
RAND Europe
National Profiles
Australia
Laws focusing explicitly on ID theft
Australia does not have a federal law that specifically criminalises ‘identity theft’, although
a bill to that effect is before the federal parliament. This bill would introduce a new Part
9.5 ‘Identity crime’ into the Commonwealth Criminal Code. Although the bill is not yet
federal law, mirror legislation has been adopted by several Australian states and it is
therefore useful to summarise its main features.
Law criminalising ID theft (bill before federal Parliament)
Relevant law
Law and Justice Legislation Amendment (Identity Crimes and Other
Measures) Bill 2008
Reference
http://www.comlaw.gov.au/ComLaw/legislation/bills1.nsf/0/97
D036F315B0268CCA257514001EE613/$file/R4020B.pdf
Main provisions in The bill would introduce the following three offences:
relation to ID theft
• Dealing in identification information.
information A person (the
first person) commits an offence if: (a) the first person
deals in identification information; and (b) the first
person intends that any person (the user) (whether or
not the first person) will use the identification
information to pretend to be, or to pass the user off as,
another person (whether living, dead, real or fictitious)
for the purpose of: (i) committing an offence; or (ii)
facilitating the commission of an offence; and (c) the
offence referred to in paragraph (b) is an indictable
offence against a law of the Commonwealth.
•
Possession of identification information.
information A person
(the first person) commits an offence if: (a) the first
person possesses identification information; and (b) the
first person intends that any person (whether or not the
first person) will use the identification information to
engage in conduct; and (c) the conduct referred to in
paragraph (b) constitutes an [indictable offence against a
law of the Commonwealth].
•
Possession of equipment used to make identification
documentation.
documentation A person (the first person) commits an
offence if: (a) the first person possesses equipment; and
(b) the first person intends that any person (whether or
not the first person) will use the equipment to make
identification documentation; and (c) the first person
130
RAND Europe
National Profiles
intends that any person (whether or not referred to in
paragraph (b)) will use the identification documentation
to engage in conduct; and (d) the conduct referred to in
paragraph (c) constitutes an [indictable offence against a
law of the Commonwealth].
Prescribed sanction
Imprisonment for: 5 years (dealing in identification
information); 3 years (possession of identification information); 3
years (possession of equipment).
This federal bill followed a nation-wide consultation process that resulted, in March 2008,
in a report on Identity Crime by the Model Criminal Law Officers’ Committee of the
Standing Committee of Attorneys-General, a body representing the Attorneys-General of
the Commonwealth and all States and Territories.97 The purpose of the three specific
offences, in the Committee’s own words, is to ‘comprehensively cover identity fraud and
identity theft’. However, due to Australia’s constitutional division of powers, the federal
bill implementing these is expressed to apply only to Commonwealth predicate offences,
ie, it would not criminalise the conduct in question if the person’s intention related only to
the commission of state and territory offences. The then Federal Minister for Home
Affairs, Bob Debus, therefore recommended, when the bill was introduced, that state and
territory governments pass mirror legislation.
Whereas the federal legislation still has not been passed by Parliament, most Australian
states have now enacted specific identity theft crimes. South Australia and Queensland
took this step before the introduction of the federal bill; other states of done so
subsequently. The situation at state and territory level is as follows:
South Australia was the first Australian jurisdiction to criminalise identity theft, in 2003,
by inserting Part 5A ‘Identity theft’ into the Criminal Law Consolidation Act 1935.98 This
provides for three offences
•
•
False identity etc.
etc A person who (a) assumes a false identity; or (b) falsely
pretends (i) to have particular qualifications; or (ii) to have, or to be entitled to act
in, a particular capacity, makes a false pretence to which this section applies. A
person who makes a false pretence to which this section applies intending, by
doing so, to commit, or facilitate the commission of, a serious criminal offence is
guilty of an offence and liable to the penalty appropriate to an attempt to commit
the serious criminal offence.
Misuse of personal identification information.
information A person who makes use of
another person's personal identification information intending, by doing so, to
commit, or facilitate the commission of, a serious criminal offence, is guilty of an
97
http://www.scag.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_Chapter_3_Identity_Crime__Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_Identity_Crime_-_Final_Report_-_PDF.pdf
98
http://www.legislation.sa.gov.au/lz/c/a/criminal%20law%20consolidation%20act%201935/current/
1935.2252.un.pdf
131
RAND Europe
•
National Profiles
offence and liable to the penalty appropriate to an attempt to commit the serious
criminal offence.
Prohibited material.
material Prohibited material means anything (including personal
identification information) that enables a person to assume a false identity or to
exercise a right of ownership that belongs to someone else to funds, credit,
information or any other financial or nonfinancial benefit. A person who (a)
produces prohibited material; or (b) has possession of prohibited material,
intending to use the material, or to enable another person to use the material, for a
criminal purpose is guilty of an offence. Maximum penalty: Imprisonment for 3
years. A person who sells (or offers for sale) or gives (or offers to give) prohibited
material to another person, knowing that the other person is likely to use the
material for a criminal purpose is guilty of an offence. Maximum penalty:
Imprisonment for 3 years. A person who is in possession of equipment for making
prohibited material intending to use it to commit an offence against this section is
guilty of an offence. Maximum penalty: Imprisonment for 3 years.
In 2007, Queensland inserted section 408D into its Criminal Code: Obtaining or
dealing with identification information.
information 99 A person who obtains or deals with another
entity’s identification information for the purpose of committing, or facilitating the
commission of, an indictable offence commits a misdemeanour. Maximum penalty: 3 years
imprisonment.
More recently, three other states have enacted laws based on the recommendations of the
Model Criminal Law Officers’ Committee. In Victoria,
Victoria the Crimes Act 1958 now includes
Part 1 Division 2AA ‘Identity Crime’, in similar terms to the federal bill discussed above.100
In New South Wales,
Wales the Crimes Act 1900 now includes Part 4AB ‘Identity offences’, also
in similar terms to the federal bill, but with higher penalties (10 years for dealing in
identification information; 7 years for possession of identification information; 3 years for
possession of equipment).101 Likewise, in Western Australia,
Australia the Criminal Code now
includes Chapter LI ‘Identity crime’, also in similar terms to the federal bill but with
higher penalties.102
The state of Tasmania, the Northern Territory and the Australian Capital Territory have
yet to introduce bills focusing specifically on ID theft.
Other laws that may apply to ID theft incidents
This section focuses on federal legislation only.
99
http://www.legislation.qld.gov.au/legisltn/current/c/crimincode.pdf
100
http://www.legislation.vic.gov.au/domino/Web_Notes/LDMS/LTObject_Store/LTObjSt1.nsf/
DDE300B846EED9C7CA257616000A3571/3EDADA8DAAA93CDCCA257761001C75E4/$FILE/586231a221.pdf
101
http://www.legislation.nsw.gov.au/inforcepdf/1900-40.pdf?id=9c895515-e9c7-4e07-c225-bccc258ccfdd
102
http://www.slp.wa.gov.au/legislation/statutes.nsf/main_mrtitle_218_homepage.html. The provisions are
contained in the notes at the end of the Criminal Code, because they have not yet been proclaimed. They will
likely enter into force very soon
132
RAND Europe
National Profiles
Privacy protection and data protection legislation
Information privacy
Relevant law
la w
Privacy Act 1988
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilatio
n1.nsf/0/CDFBC6BC359968E4CA257758001791A7?OpenDo
cument
Main provisions in The Act establishes the office of the Privacy Commissioner, who
relation to ID theft
conducts investigations and reports on ‘interferences with
privacy’, ie, conduct ‘contrary to, or inconsistent with’ privacy
principles set out in the act. These principles are not backed with
criminal sanctions, however Commonwealth government
employees who breach them may incur criminal liability through
other means.
There are some specific criminal provisions in Part IIIA ‘Credit
reporting’ and Part VIA ‘Dealing with personal information in
emergencies and disasters’.
Prescribed sanction
Fines (for credit reporting offences); imprisonment for 1 year
(unlawful disclosure of personal information received in an
emergency or disaster).
Personal financial information
Relevant law
Criminal Code Part 10.8
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
lCode1995_WD02.pdf
Main provisions in 480.4: Dishonestly obtaining or dealing in personal financial
relation to ID theft
information, ie, ‘information relating to a person that may be used
… to access funds, credit or other financial benefits.’
480.5 Possession or control of a thing with intention to commit
an offence against 480.4.
Prescribed sanction
5 years imprisonment (dishonestly obtaining or dealing); 3 years
(possession or control of a thing)
Criminal law
Fraud
Relevant law
Criminal Code Part 7.3 ‘Fraudulent conduct’
133
RAND Europe
Reference
National Profiles
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
lCode1995_WD02.pdf
Main provisions in 134: Obtaining property and financial advantage by deception are
relation to ID theft
criminalised, but only where the victim is a Commonwealth
entity. Otherwise, there are broadly similar provisions in state and
territory laws.
Prescribed sanction
10 years imprisonment
False and misleading statements
Relevant law
Criminal Code Part 7.4 ‘False and misleading statements’
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
lCode1995_WD02.pdf
Main provisions in 136: Making a false or misleading statement in an application to
relation to ID theft
the Commonwealth, or in relation to a law of the
Commonwealth.
137: Giving false or misleading information to the
Commonwealth, or in purported compliance with a law of the
Commonwealth.
Prescribed sanction
12 months imprisonment
Forgery
Relevant law
Criminal Code Part 7.7 ‘Forgery and related offences’
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
lCode1995_WD02.pdf
Main provisions in
relation to ID theft
144: Making a false document with the intent that it will be
accepted by the Commonwealth as genuine, thereby dishonestly
obtaining a gain, causing a loss or influencing the exercise of a
public function of the Commonwealth.
Prescribed sanction
10 years imprisonment
Postal offences
Relevant law
Criminal Code Part 10.5
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
134
RAND Europe
National Profiles
lCode1995_WD02.pdf
Main provisions in 471.1: Theft of an article in the course of post.
relation to ID theft
471.2: Receiving a stolen article.
471.8: Dishonestly obtaining delivery of an article.
Prescribed sanction
10 years imprisonment for theft and receiving; 5 years for
dishonestly obtaining.
Telecommunications offences
Relevant law
Criminal Code Part 10.6
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
lCode1995_WD02.pdf
Main provisions in 474.5: Causing a communication to be received by a person or
relation to ID theft
carriage service other than the person or service to whom it is
directed.
Prescribed sanction
10 years imprisonment for theft and receiving; 5 years for
dishonestly obtaining.
Cybercrime – unauthorised impairment
Relevant law
Criminal Code Part 10.7
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina
lCode1995_WD02.pdf
Main provisions in 477.2: Unauthorised modification of data stored on a computer,
relation to ID theft
being reckless as to whether the modification may impair access
to—of the reliability of—this data or other data.
477.3: Unauthorised impairment of electronic communication.
These offences must involve a telecommunications carriage service
or concern Commonwealth computers or data.
Prescribed sanction
10 years imprisonment.
Cybercrime – spam email (civil penalty provisions)
Relevant law
Spam Act 2003
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/DED153276FD7C6F9CA2570260013908A/$file/Spam
135
RAND Europe
National Profiles
Act03WD02.pdf
Main provisions in 16: Unsolicited commercial electronic messages must not be sent
relation to ID theft
17: Commercial electronic messages must include accurate sender
information
20, 21, 22: Address-harvesting software must not be supplied,
acquired or used
Prescribed sanction
A range of pecuniary penalties.
Opening false accounts
Relevant law
Financial Transaction Reports Act 1988
Reference
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation
1.nsf/0/92D9EF651D840A88CA25768F0003B26C/$file/Financ
TransReports1988.pdf
Main provisions in 24(1): opening an account with a cash dealer (broadly defined to
relation to ID theft
include financial institutions, casinos, and other businesses) in a
false name.
Prescribed sanction
Not specified in the legislation.
Application in Practice
There is no reported case law arising under any of the specific identity theft provisions
referred to above.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
The specific ID theft laws in operation in Australian states, and
the proposed federal law, would capture this conduct only if there
was also an intention that (or recklessness as to whether) the
information would be used to commit a crime. For similar reasons,
no other (federal) crimes cover the conduct in question.
Case law available?
No known case law.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password
password to send emails
emails in his/her name)
Applicable law(s)
Again, the specific ID theft laws in operation in Australian states,
and the proposed federal law, would capture this conduct only if
there was also an intention that (or recklessness as to whether) the
136
RAND Europe
National Profiles
information would be used to commit a crime.
If the purpose is commercial then this would constitute an
infringement of the Spam Act 2003, attracting civil penalties.
Case law available?
No known case law.
Phishing (using emails
emails and/or falsified websites
websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
Use of the information obtained would constitute ‘dealing in
identification information’, whilst merely obtaining it would
permit a charge of ‘possession of identification information’. In
circumstances where special software or falsified websites were
being used, it would be relatively easy for the prosecution to
prove the necessary mental element (eg, intention to commit a
crime, or recklessness as to the information being used for this
purpose).
Also, this conduct would constitute ‘obtaining property by
deception’ under article 134 of the Criminal Code if directed at a
Commonwealth entity. Each state and territory has similar fraud
legislation to capture the (vast majority) of cases where the
conduct is not directed at a Commonwealth entity.
Also, the Spam Act (2003) outlaws the sending of unsolicited
commercial emails and the sending of commercial emails with
incorrect sender information, as well as the ‘harvesting’ of email
addresses form the Internet.
Case law available?
No known case law.
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
There is no Australian law specifically targeting spyware (a
Spyware Bill was introduced in 2005 but never passed).
Again, use of the information obtained would constitute ‘dealing
in identification information’, whilst merely obtaining it would
permit a charge of ‘possession of identification information’. In
circumstances where special software was being used, it would be
relatively easy for the prosecution to prove the necessary mental
element (eg, intention to commit a crime, or recklessness as to
the information being used for this purpose).
137
RAND Europe
Case law available?
National Profiles
No known case law.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to
t o email marketeers)
Applicable law(s)
As with previous scenarios, this would constitute dealing in
identification information only if there was also an intention that
(or recklessness as to whether) the information would be used to
commit a crime. This will not be satisfied merely if the intention
was to send unsolicited commercial emails, because the Spam Act
2003 does not criminalise this conduct (it merely provides for
civil penalties). If there was a fraudulent element (eg, if the
intention was to commit phishing.
Case law available?
No
ID Theft Reporting Mechanisms
The Attorney-General’s Department maintains a website on identity security, which
contains links to national strategies as well as a publication ‘Dealing with ID Theft’
(http://www.ag.gov.au/identitysecurity). This document, which is aimed at members of
the public, explains how identity theft can affect peoples’ lives, allows people to assess their
own vulnerability, sets out preventative advice and also provides guidance on what to do in
the event of possible identity theft – including relevant points of contact for reporting
incidents.
The ‘protect your financial identity’ website (http://www.protectfinancialid.org.au/) is a
joint initiative of the Australian Bankers Association, the Australian High Tech Crime
Centre and the Australian Securities and Investments Commission. It provides numerous
fact sheets, including lists of indicators that suggest that identity theft has occurred, and
steps to take to report identity theft to relevant authorities.
The SCAMwatch website (http://www.scamwatch.gov.au) is maintained by the Australian
Competition and Consumer Commission (ACCC). It deals with all types of scams, with
one section devoted to identity theft. It also contains a section devoted to reporting scams.
This allows members of the public to create a ‘scam report’ (by completing an online
form), which then goes to the ACCC. There are also links on this site to other sites,
including:
•
•
•
The Australian Securities and Investments Commission (financial scams):
http://www.fido.gov.au/fido/fido.nsf/byHeadline/Scams%20-%20reporting).
The Australian Taxation Office (tax scams): http://www.ato.gov.au/onlineservices/
content.asp?doc=/content/00179605.htm&mnu=47106&mfp=001/010
Various state consumer affairs agencies (local scams).
138
RAND Europe
National Profiles
The Australian Communications and Media Authority provides an online facility to report
spam emails and spam SMS messages (http://www.acma.gov.au/WEB/STANDARD/
pc=PC_310294).
Most of these websites also provide preventative advice. Other sources of advice include:
•
•
The ‘stay smart online’ website, maintained by the federal government, which
includes videos on ‘protecting yourself from online identity theft’
(http://www.staysmartonline.gov.au/). A related government-sponsored initiative
is National Cyber Security Awareness Week.
The website of the Privacy Commissioner (http://www.privacy.gov.au/topics/
identity).
Personal Assessment of the Framework Combating ID Theft
The Australian framework for combating ID theft is necessarily fragmented by the division
of powers between the Commonwealth (federal) government and the states, which have
residual legislative power in all areas not mentioned by the Commonwealth constitution. It
is for this reason that the federal Law and Justice Legislation Amendment (Identity Crimes
and Other Measures) Bill 2008 would create ID theft offences which apply only to dealing,
possession, etc, for the purpose of committing an indictable offence against a law of the
Commonwealth (only). In this regard, the Australian bill differs from the US Identity Theft
and Assumption Deterrence Act, which applies to ‘activity... that constitutes a felony under
any state or local law’.
The scope of many of the other applicable laws is similarly limited. Thus many acts are
criminalised at federal level only where they involve Commonwealth laws, property,
entities, employees, etc. In some cases, the constitution allows for federal legislation to be
phrased more broadly, as with offences of a commercial nature, or those which involve the
transmission of information using a ‘telecommunications carriage service’. In general, it
should be noted that ‘gaps’ in the federal law are very often covered at state level. For
example, fraud in the Commonwealth Criminal Code applies only where the
Commonwealth is the victim, but fraud is also criminalised in each state and territory.
Whereas the federal ID theft bill of 2008 has still not been passed by Parliament, the five
most populous states all now have specific ID theft crimes on the books. Generally, these
are not standalone offences; they are based on an intention to commit of facilitate other
criminal conduct. In this regard, they add to the inchoate offences already provided for by
the common law or by statute, eg, attempting to commit a crime.103 From a law
enforcement perspective, they are potentially useful (in broadly the same way as some
counter-terrorism laws) because they criminalise conduct at an early stage, before it has
gone far enough to constitute an attempt or conspiracy. However, in practice they have
not been utilised. There are no cases arising under any of the specific ID theft provisions.
This may simply reflect that the laws have not been on the books for very long, although in
103
This view, that the offences resemble inchoate offences in nature, is supported by the fact that in most cases
it is specifically provided for that, eg, ‘It is not an offence to attempt to commit an offence against this section’
139
RAND Europe
National Profiles
South Australia (albeit a jurisdiction of a little over 1m people) they have gone unused
since their introduction in 2003. Another possible explanation is that policing of identity
theft remains largely reactive. If this is the case, then offenders are likely to have
committed, or at least attempted other crimes by the time they are arrested, making it
unnecessary to overload the indictment with additional charges.
Despite the lack of utilisation of ID theft law to date, it should not be assumed that
authorities are generally slow to recognise and prosecute new crimes. For example,
although there are not yet any reported ID theft-related (eg, phishing) cases arising under
the Spam Act 2003, the act itself has been successfully used in the case of Australian
Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410, with civil
penalties being ordered against the respondents for sending unsolicited commercial
electronic messages, and for using harvested address lists.
140
RAND Europe
National Profiles
Austria
Laws focusing explicitly on ID theft
No legislation has been introduced in Austria that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, ‘cyber crime
provisions’, fraud, etc.).
No such legislation is currently under consideration in light of the information available.
Other laws that may apply to ID theft incidents
Privacy protection and data protection legislation
Privacy and ID Protection
Protection Provisions
Provisions in the General Civil Code
Relevant law
General Civil Code; original promulgation: State Gazette
1811/946, last amendments: Federal Law Gazette I 2009/135
(Allgemeines bürgerliches Gesetzbuch (ABGB), JGS 1811/946 idF
BGBl I 2009/135),
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesn
ormen&Gesetzesnummer=10001622 (only in German)
Main provisions in Sec 16 ABGB stipulates (since 1811) that every human being has
relation to ID theft
personal rights and that those are protected. According to the
common interpretation in Austria, this provision also safeguards
the ‘identity’ of every human being.
Sec 43 ABGB stipulates (since 1811): ‘If someone’s right to use
his/her name is denied or is compromised by unauthorized use of
his/her name (or pseudonym), he/she is entitled to sue for
injunctive relief and in case of default also for damages.’
Prescribed sanction
Pursuant to the general provisions of the ABGB and pursuant to
the specific sanctions in Sec 43 ABGB the person, whose
identity/name is abused, may sue for injunctive relief and in case
of default also for damages in front of the Civil Courts.
Data Protection Act 2000
Relevant law
Federal Act Concerning the Protection of Personal Data 2000;
original promulgation: Federal Law Gazette I 1999/165, last
amendments: Federal Law Gazette I 2009/135 (Bundesgesetz über
141
RAND Europe
National Profiles
den Schutz personenbezogener Daten - Datenschutzgesetz 2000
(DSG 2000), BGBl I 1999/165 idF BGBl I 2009/135),
Reference
See http://www.dsk.gv.at/site/6274/default.aspx
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing,
Sec 1 DSG 2000 stipulates the ‘Fundamental Right to Data
Protection’: ‘Everybody shall have the right to secrecy for the
personal data concerning him, especially with regard to his
private and family life, insofar as he has an interest deserving such
protection. Such an interest is precluded when data cannot be
subject to the right to secrecy due to their general availability or
because they cannot be traced back to the data subject.’
Sec 33 DSG 2000 stipulates a provision for compensation of
damages:
‘(1) A controller or processor, who has culpably used data
contrary to the provisions of this DSG 2000, shall indemnify the
data subject pursuant to the general provisions of civil law. If data
falling under the categories listed in sect. 18 para. 2 no. 1 to 3
[Data deserving special protection – ‘Sensible Daten’] are publicly
used in a manner that violates a data subjects' interests in secrecy
deserving protection that is suitable to expose that person in a
like manner to sect. 7 para. 1 of the Media Act, Federal Law
Gazette No. 314/1981, that provision shall be applied even if the
public use of data is not committed by publication in the media.
The claim for appropriate compensation for the defamation
suffered shall be brought against the controller of the data used.
(2) The controller or processor shall also be liable for damages
caused by their staff, insofar as their actions were casual for the
damage.
(3) The controller shall be free from liability if he/she can prove
that the circumstances that caused the damage cannot be
attributed to him/her or his/her staff (para. 2). This also applies
to the exclusion of the processors' liability. In the case of
contributory negligence on the part of the injured party or a
person for whose conduct the injured party is responsible, sect.
1304 ABGB [contributory negligence] shall apply.’
Sec 51 DSG 2000 reads since 1/1/2010 as follows: ‘Whoever uses
personal data that have been entrusted to or made accessible to
him solely because of professional reasons, or that he has acquired
illegally for himself or makes such data available to others or
publishes such data with the intention to make a profit or to
violate somebody’s rights pursuant to Sec 1 DSG 2000, despite
142
RAND Europe
National Profiles
the data subject's interest in secrecy deserving protection, shall be
punished by a court with imprisonment up to one year, unless
the offence shall be subject to a more severe punishment
pursuant to another provision.’
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings,
including
indemnification
for
‘suffered
mortification’ [‘erlittene Kränkung’] up to EUR 20,000 pursuant
to the Sec 33 DSG 2000 in combination with Sec 7 Media Act,
the violations above can also be criminally sanctioned with
imprisonment up to one year, unless the offence shall be subject
to a more severe punishment pursuant to another provision.
Communications
Communications secrecy laws–
laws– existence and technical aspects of electronic
communication and contents of electronic communication; Data Protection
Provisions in the Telecommunications Act 2003
Relevant law
Federal
Act
Enacting
a
Telecommunications
Act
(Telecommunications Act 2003 – TKG 2003); original
promulgation: Federal Law Gazette I 2003/70, last amendments:
Federal Law Gazette I 2009/65 (Bundesgesetz, mit dem ein
Telekommunikationsgesetz erlassen wird (Telekommunikationsgesetz
2003 - TKG 2003), BGBl I 2003/70 idF BGBl I 2009/65).
Reference
See
http://www.ris.bka.gv.at/Dokumente/Erv/ERV_2003_1
_70/ERV_2003_1_70.html
Main provisions in Sec 93 TKG 2003 reads as follows – especially note para 4:
relation to ID theft
‘(1) The content data, traffic data and location data shall be
subject to confidentiality of the communications. Confidentiality
of the communications shall also refer to the data of unsuccessful
connection attempts.
(2) Every operator and all persons who are involved in the
operator’s activities shall observe confidentiality of the
communications. The obligation to maintain confidentiality shall
continue to exist also after termination of the activities under
which it was established.
(3) Persons other than a user shall not be permitted to listen, tap,
record, intercept or otherwise monitor communications and the
related traffic and location data as well as pass on related
information without the consent of all users concerned. This
shall not apply to the recording and tracing of telephone calls
when answering emergency calls and to cases of malicious call
tracing as well as to technical storage which is necessary for the
conveyance of a communication.
143
RAND Europe
National Profiles
(4) If communications are received unintentionally by means of a
radio system, a telecommunications terminal equipment or any
other technical equipment which are not intended for this radio
system, this telecommunications terminal equipment or the user
of the other equipment, the contents of the communications as
well as the fact that they have been received must neither be
recorded nor communicated to unauthorized persons nor used
for any purposes. Recorded communications shall be erased or
otherwise destroyed.’
Sec 108 TKG 2003 reads as follows:
‘(1) Any person as defined in Sec 93 (2) who
1. without authorization discloses the fact or
telecommunications, traffic of specific
unauthorized person or gives such a person
perceive facts himself that are subject to
maintain secrecy,
the contents of the
persons to an
the opportunity to
the obligation to
2. falsifies, incorrectly relates, modifies, suppresses or incorrectly
conveys a communication or withholds it from the intended
recipient without authorization,
shall be punished by the court with a prison sentence of up to
three months or a fine of up to 180 times the daily rate unless the
offence carries a more severe penalty under another provision.
(2) The offender shall be prosecuted only at the request of the
aggrieved party.’
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Sec 93 TKG 2003 are not sanctioned by
the TKG 2003, but might be sanctioned in terms of Sec
108 TKG 2003 and/or by the Penal Act (Sec 120 (2a)
StGB: imprisonment up to three months or penal fine
up to 180 daily rates).
•
Violations of Sec 108 TKG 2003 can be criminally
sanctioned with imprisonment of up to three months or
a fine of up to 180 times the daily rate unless the offence
carries a more severe penalty under another provision.
However the offender shall only be prosecuted at the
request of the aggrieved party.
Criminal law
144
RAND Europe
National Profiles
Penal Act and Provisions in Connection with ID Theft
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in The StGB stipulates numerous crimes that might be effected in
relation to ID theft
connection with an ID Theft:
•
Sec 118a StGB stipulates the illegal access to a computer
system as a crime;
•
Sec 119 StGB stipulates the breach
telecommunications secrecy as a crime;
•
Sec 119a StGB stipulates the illegal seeking knowledge
of transferred data as a crime;
•
Sec 120 StGB stipulates the illegal use of recording
devices as a crime.
of
the
Regarding espionage
•
Sec 123 StGB stipulates espionage for trade secrets as a
crime; and
•
Sec 124 StGB the espionage for foreign countries as a
crime.
Furthermore,
•
Sec 126a StGB stipulates the damaging of data as a
crime;
•
Sec 126b StGB stipulates the interference regarding the
functionality of a computer system as a crime;
•
Sec 126c StGB stipulates the misuse of computer
programs or access data as a crime.
And finally,
•
Sec 148a StGB stipulates the fraudulent misuse of data
processing as a crime; and
•
Sec 225a StGB stipulates the forgery (including
falsifying) of data with the intention to use the forged
data as evidence as a crime.
Depending on the concrete ID theft incident the above
provisions may apply.
Furthermore, ID theft is often combined with the misuse of
payment transactions, whereas in this context the StGB stipulates
145
RAND Europe
National Profiles
numerous additional specific provisions (Sec 241a to 241g
StGB).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Sec 118a StGB regarding the illegal access
to a computer system can be criminally sanctioned with
imprisonment up to six months (in connection with
criminal organisation up to three years) or penal fine up
to 360 daily rates.
•
Violations of Sec 119 StGB regarding the breach of the
telecommunications secrecy can be criminally sanctioned
with imprisonment up to six months or penal fine up to
360 daily rates.
•
Violations of Sec 119a StGB regarding the illegal seeking
knowledge of transferred data can be criminally
sanctioned with imprisonment up to six months or penal
fine up to 360 daily rates.
•
Violations of Sec 120 StGB regarding the illegal use of
recording devices can be criminally sanctioned with
imprisonment up to one year or penal fine up to 360
daily rates.
•
Violations of Sec 123 StGB regarding espionage of trade
secrets can be criminally sanctioned with imprisonment
up to two years or penal fine up to 360 daily rates.
•
Violations of Sec 126a StGB regarding the damaging of
data can be criminally sanctioned – depending on the
value of the data – with imprisonment up to five years.
•
Violations of Sec 126b StGB regarding the interference
regarding the functionality of a computer system can be
criminally sanctioned – depending on the time of
interference or as a member of a criminal organisation –
with imprisonment up to five years.
•
Violations of Sec 126c StGB regarding the misuse of
computer programs or access data can be criminally
sanctioned with imprisonment up to six months or penal
fine up to 360 daily rates.
And finally,
•
Violations of Sec 148a StGB regarding the fraudulent
misuse of data processing can be criminally sanctioned –
depending of the damage – with imprisonment up to ten
146
RAND Europe
National Profiles
years; and
•
Violations of Sec 225a StGB regarding the forgery
(including falsifying) of data with the intention to use
the forged data as evidence can be criminally sanctioned
with imprisonment up to one year.
Fraud
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in Fraud in general is punished by Sec 146 StGB. This article
relation to ID theft
sanctions any act of using deception (including use of false names
or titles, or any other type of deceptive manipulation or abuse of
good faith or credulity) with a view of appropriating someone
else’s property. This would apply to any ID theft incidents
involving the use of a falsified identity to appropriate property.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceeding, violations of Sec 146 can be criminally sanctioned
with imprisonment up to six months or with fines up to 360
daily rates.
Please note that – depending on the damage and the concrete
circumstances (eg, using official documents or incorrect data,
etc.) – the sanctions could also be an imprisonment up to three
years and even between one and ten years (if damage is more
than EUR 50,000).
Forgery with respect to identity
identity (ie,
(ie, falsifying identities on a document)
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in Forgery is punished by Sec 223 et sqq StGB, including
relation to ID
particularly:
I D theft
•
Sec 223 StGB: the forgery (including falsifying) of any
(signed) document with the intention to use the forged
document as evidence is a crime.
•
Sec 224 StGB: the forgery in terms of Sec 223 StGB by
147
RAND Europe
National Profiles
forging an official/public document is a crime.
•
Sec 224a StGB: the possession and transfer of forged
documents is a crime.
•
Sec 225a StGB: the forgery (including falsifying) of data
with the intention to use the forged data as evidence is a
crime.
•
Sec 231 StGB: the use of public documents showing the
ID of somebody else is a crime.
Pursuant to Sec 311 StGB the producing of a false document by
a public servant is a crime.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Sec 223 StGB regarding the forgery of
documents can be criminally sanctioned with
imprisonment up to one year.
•
Violations of Sec 224 StGB regarding the forgery of an
official/public document can be criminally sanctioned
with imprisonment up to two years.
•
Violations of Sec 224a StGB regarding the possession
and transfer of forged documents can be criminally
sanctioned with imprisonment up to one year.
•
Violations of Sec 225a StGB regarding the forgery of
data can be criminally sanctioned with imprisonment up
to one year.
•
Violations of Sec 231 StGB regarding the use of public
documents showing the ID of somebody else can be
criminally sanctioned with imprisonment up to six
months or a penal fines amounting to 360 daily rates.
•
Violations of Sec 311 StGB regarding the producing of a
false document by a public servant can be criminally
sanctioned with imprisonment up to three years.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in Illegal access to information systems is punished by Sec 118a
148
RAND Europe
relation to ID theft
National Profiles
StGB:
The accessing to an information system without authorisation by
overcoming specific security mechanisms (‘external and internal
hacking’) to obtain and use data for the purpose of obtaining
profit or for the purpose of causing damage is a crime in terms of
Sec 118a StGB.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, or to steal credentials from such a system.
For further crimes in this context see above.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceeding, violations of Sec 118a StGB can be criminally
sanctioned with imprisonment of six months or fines of up to
360 daily rates.
Cybercrime – illegal data interference
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in Illegal data interference is punished by Sec 108 TKG 2003 (see
relation to ID theft
above) and Sec 126a StGB and Sec 126b StGB, including
particularly:
•
Sec 126a StGB: causing damage by changing or deleting
electronically processed data without authorisation;
•
Sec 126b StGB: entering information in a computer
system without authorisation and therefore altering its
normal use.
This would apply to any ID theft incidents involving the
falsifying of identity information stored in an information
system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of Sec 108 TKG 2003 can be criminally
sanctioned with imprisonment up to three months or
fines up to 180 daily rates.
•
Violations of Sec 126a StGB can be criminally
sanctioned with imprisonment up to five years.
149
RAND Europe
National Profiles
•
Violations of Sec 126b StGB can be criminally
sanctioned with imprisonment up to five years.
Cybercrime – ComputerComputer-related Forgery
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in Data-related forgery is punished by Sec 225a StGB: the
relation to ID theft
producing of incorrect data or the forging of correct data by
entering, changing, deleting or blocking data, to use these data
for evidencing/showing a right is therefore a crime.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceeding, violations of Sec 225a StGB can be criminally
sanctioned with imprisonment up to one year.
Cybercrime – computercomputer-related fraud
Relevant law
Penal Act (Strafgesetzbuch - StGB).
Reference
See
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage
=Bundesnormen&Gesetzesnummer=10002296
(only
in
German).
Main provisions in Computer-related fraud is punished by Sec 148a StGB: any act
relation to ID theft
aiming to unlawfully appropriate someone else’s property by
entering, changing or deleting information in an information
system or altering its normal use by any technical means is
forbidden.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceeding, violations of Sec 148a StGB can be criminally
sanctioned with imprisonment up tot six months or penal fine up
to 360 daily rates or in the case of professional violation with
imprisonment up to three years or in the case of caused damage
exceeding EUR 50,000 with imprisonment from one to ten
years.
Application in practice
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
150
RAND Europe
National Profiles
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of Sec 43 ABGB regarding the unauthorized use of
names;
- if not generally available data of the other person are used it
could be a violation of the DSG 2000, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable;
- data-related forgery (if the forgery changed the legal impact of
the information);
- fraud, if the false identity was used to unlawfully appropriate
property.
Case law available?
No known case law by Higher Courts or Austrian Supreme
Court.
Unlawfully using another
a nother person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Unlawfully using another person’s credentials (eg, using someone
else’s username or password to send emails in his/her name)
could constitute:
- a violation of Sec 43 ABGB regarding the unauthorized use of
names (pseudonym);
- a violation of the DSG 2000, since the credentials are likely to
be considered personal data which are being unlawfully
processed;
- a violation of Sec 108 TKG 2003, if this use can be qualified as
falsifying the communication;
- a violation of Sec 118a StGB, if this use of the credentials can
be qualified as unlawful access to data related to electronic
communication;
- a violation of Sec 126c StGB, if the credentials can be qualified
as access data;
- fraud (Sec 146 StGB), if falsified messages were sent to
unlawfully appropriate property;
- forgery of data with the intention to use the forged data as
evidence/to show an (access) right (Sec 225a StGB).
151
RAND Europe
Case law
law available?
National Profiles
No known case law by Higher Courts or Austrian Supreme
Court.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of the DSG 2000, since the credentials are likely to
be considered personal data which are being unlawfully
processed;
- a violation of Sec 123 StGB regarding espionage of trade
secrets, if the obtained information can be qualified as a trade
secret;
- fraud (Sec 146 StGB) and/or computer-related fraud (Sec 148a
StGB);
- forgery of data if ‘trick’ involves forged data as evidence/to show
the right to obtain the identity information (Sec 225a StGB).
Case law available?
No known case law, but case law regarding the civil law impact
of a phishing attack towards the relationship and liability
between bank and its customers.
‘Cybercrimereport 2006’ of the Austrian Police says that there
were 381 victims of ‘Phishing-Attacks’ in Austria.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
benefit s
Applicable law(s)
The fact of using falsified identity documents (identity cards,
social security cards or passports) to unlawfully apply for social
benefits would likely be:
- if the name of another person is used, a violation of Sec 43
ABGB;
- if the ID of another person is used, a violation of the DSG
2000, since the data of this person deserving social benefits have
to be considered as personal data, which are being unlawfully
processed;
- violation of Sec 146 et seqq StGB and therefore fraud, because
also the Austrian State or the Austrian Social Insurance Company
can be victims in terms of Sec 146 et seqq StGB;
152
RAND Europe
National Profiles
- violation of Sec 223 et seqq StGB:
Case law available?
•
Sec 223 StGB: the forgery (including falsifying) of any
(signed) document with the intention to use the forged
document as evidence to be entitled to social benefits (eg,
medical statements, etc.);
•
Sec 224 StGB: the forgery in terms of Sec 223 StGB by
forging an official/public (especially ID) document to
pretend to be entitled to social benefits;
•
Regarding online-application, etc.: Sec 225a StGB: the
forgery (including falsifying) of data with the intention to
use the forged data as evidence to be entitled to social
benefits;
•
In case of using someone else’s ID: Sec 231 StGB: the use
of public documents showing the ID of somebody to
pretend to be entitled to social benefits.
•
Regarding the involvement of public servents: Sec 311
StGB: the producing of a false document by a public
servant also in connection with social benefit proceedings
etc is a crime.
No known case law by Higher Courts or Austrian Supreme
Court.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be a violation of the DSG 2000, since the personal
information would be unlawfully processed.
Case law available?
No known case law by Higher Courts or Austrian Supreme
Court.
ID theft reporting mechanisms
No Official Reporting Site for ID Theft in Austria
In Austria there exists no official reporting site for ID theft. However,
•
http://www.bmi.gv.at/cms/bk/meldestellen/: the official reporting site, inter alia
for child pornography, but no site for ‘cyber crime’, although the implementation
of such site has been discussed for years in Austria.
•
http://www.saferinternet.at/ … is a website to empower citizens to use the
Internet, as well as other information and communication technologies, safely and
153
RAND Europe
National Profiles
effectively. Saferinternet.at is the Austrian awareness node in the European
Internet Safety Network (Insafe). Saferinternet.at seeks to give children, youths,
parents, teachers and other interested parties tips and support to highlight and
avoid risks when using the Internet, while at the same time Saferinternet.at
illustrates the positive aspects of Internet use.
Saferinternet.at runs an information campaign, provides information and teaching
materials about safe and responsible use of the Internet, organises events and
works closely with all Austrian projects in the area of safer Internet and the
European Internet Safety Network.
Saferinternet.at is funded by the European Commission (Safer Internet
programme), the Federal Chancellery, ministries and industry sponsors
(Microsoft, Telekom Austria TA AG).
Saferinternet.at co-operates intensely with public administrations, nongovernmental organisations and businesses.
The Austrian Institute for Applied Telecommunications (OIAT) is co-ordinator of
Saferinternet.at.
•
http://www.stopline.at/ is an Internet reporting hotline which can be contacted by
any Internet user very simply, quickly and informally – also anonymously – if
he/she finds the following content on the Internet: (i) Child Pornography (§ 207 a
StGB - Austrian Penal Code) or (ii) National Socialist Offences (‘Verbotsgesetz’ National Socialist Prohibition Act) and ‘Abzeichengesetz’ (Act Against The
Wearing Of National Socialist Regalia And Symbols).
Probably also reports regarding ID theft would be forwarded to the police (see
above): after any report has been submitted to the STOPLINE, the agents check
whether the material is actually illegal according to the Austrian laws. In this case
the STOPLINE immediately contacts the responsible executive authority, the
affected Austrian ISP and the foreign partner hotlines within INHOPE, which is a
network of hotlines against illegal contents on the Internet.
STOPLINE is funded by the EC within the Safer Internet Programme and
member of Inhope. The Association of Austrian Internet Service Providers (ISPA)
runs the this hotline.
Consequently, there is no general reporting site for ‘cybercrime’ and none for ID theft in
Austria.
Therefore, apart from what said above, reports regarding ID theft should be reported to
the general IT-Crime Department incorporated with the Federal Criminal Police Office
(‘Bundeskriminalamt’) - http://www.bmi.gv.at/cms/BK/start.aspx.
154
RAND Europe
National Profiles
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents, but only the
ones causing damages, is sufficiently comprehensive in Austria.
However, there is no official contact point for reporting Internet crimes in general and also
not for ID theft in particular in Austria. STOPLINE and the official contract point of the
Federal Criminal Police Office (‘Bundeskriminalamt’) concentrate on (i) Child
Pornography (§ 207 a StGB - Austrian Penal Code) and (ii) National Socialist Offences
(‘Verbotsgesetz’ - National Socialist Prohibition Act) and ‘Abzeichengesetz’ (Act Against The
Wearing Of National Socialist Regalia And Symbols).
Consequently, victims of ID theft are required to go through official channels (ie,
registering a complaint with local police offices) up to the general IT-Crime Department
incorporated with the Federal Criminal Police Office (‘Bundeskriminalamt’). This process
seems to be rather non-transparent to victims.
However, ID theft does not appear to take a high priority in every day crime practice in
Austria.
155
RAND Europe
National Profiles
Belgium
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Belgium that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud, etc.).
No such legislation is currently under consideration to our knowledge. Instead, the policy
emphasis in Belgium is more on improving awareness of ID theft risks with potential
victims and law enforcement bodies.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Law of 8 December 1992 protecting the private sphere in
relation to personal data processing (Wet tot bescherming van de
persoonlijke levensfeer ten opzichte van de verwerking van
persoonsgegevens / Loi relative à la protection de la vie privée à
l'égard des traitements de données à caractère personnel)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1992120832
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as it will
violate legitimacy requirements (article 5), proportionality
obligations and the purpose restriction (article 4), transparency
obligations (article 9), security obligations (article 16) and formal
obligations such as the prior notification to the Belgian Privacy
Commission (article 17).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, the violations above can also be criminally
sanctioned with fines of 550 to 550.000 EUR.
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant law
Law of 13 June 2005 on electronic communication (Wet
betreffende de elektronische communicatie / Loi relative aux
communications électroniques)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=2005061332
Main provisions in Article 124 of this Act forbids any third party to (1) intentionally
156
RAND Europe
relation to ID theft
National Profiles
seek knowledge of the existence of electronically sent information
not intended for him/her; (2) identify persons involved in such
data transfers; (3) intentionally access data related to electronic
communication; (4) use, modify or delete such information or
identification, irrespective of their origin.
The provision generally applies to unlawful acts in which a third
party tries to obtain information on the existence of someone
else’s electronic communications or of the technical
characteristics of such communications (eg, protocols used, IP
addresses, duration, usernames/passwords), and in which this
information is abused. This would apply to any ID theft
incidents requiring the collection/abuse of such data. It does not
apply to the contents of electronic communications as such; these
are protected through separate provisions as noted below.
Article 145 of this Act additionally prohibits the following acts:
Prescribed sanction
•
Art. 145 §3: deceptively establishing electronic
communications with the intent to obtain an unlawful
economic benefit, and deploying any device intended to
(attempt to) commit any of the infractions in the law;
•
Art. 145 §3bis: using an electronic communications
network or service to cause any nuisance to a
correspondent or to otherwise harm him/her, and
deploying any device intended to (attempt to) commit
this infractions.
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 124 can be criminally sanctioned
with fines of 275 to 275.000 EUR.
•
Violations of article 145 §3 can be criminally sanctioned
with fines of 275 to 275.000 EUR and/or imprisonment
between 1 and 4 years.
•
Violations of article 145 §3bis can be criminally
sanctioned with fines of 275 to 1.650 EUR and/or
imprisonment between 15 days and 2 years.
Communications secrecy laws – contents of electronic communication
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Articles 259bis and 314bis forbid the following acts:
157
RAND Europe
relation to ID theft
National Profiles
•
Using any device to record or listen in on private
communications during the transfer without the consent
of all participants;
•
Deploying any device with a view of committing this
crime;
•
Keeping or unlawfully using (including revealing) any
recordings made in violation of the provision above.
Additional provisions punish the use of lawfully made recordings
if this is done deceptively or with the intent to cause harm, and
to produce, own or distribute any devices (including software or
data such as passwords) which were primarily designed or
modified to commit the aforementioned crimes.
This would apply to any ID theft incidents involving the
recording of electronic communications.
The main distinction between article 259bis and 314bis is the
scope: article 259bis applies to public servants and contains
harsher sanctions than article 314bis, which is aimed at the
general public. Exceptions are defined for military intelligence
services.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 259bis (public servants) can be
criminally sanctioned with fines of 2.750 to 110.000
EUR and/or imprisonment between 6 months and 2
years.
•
Violations of article 314bis (general public) can be
criminally sanctioned with fines of 1.100 to 55.000
EUR and/or imprisonment between 6 months and 1
year.
Criminal law
Fraud
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Fraud in general is punished by Article 496 of the Criminal
relation to ID theft
Code. This article sanctions any act of using deception (including
use of false names or titles, or any other type of deceptive
manipulation or abuse of good faith or credulity) with a view of
158
RAND Europe
National Profiles
appropriating someone else’s property. This would apply to any
ID theft incidents involving the use of a falsified identity to
appropriate property.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of article 496 can be criminally
sanctioned with fines of 143 to 16.500 EUR and imprisonment
between 1 month and 5 years.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Forgery is punished by Article 194 and following of the Criminal
relation to ID theft
Code, including particularly:
Prescribed sanction
•
Art. 194: forgeries committed by public servants on
official documents, including through the use of falsified
signatures or by falsifying information in official registers
or documents;
•
Art. 196: forgeries committed by any other person on
official documents and in certain private documents
such as contracts, including through the use of falsified
signatures or falsified documents;
•
Art. 198: falsifying passports or other identity
documents or intentionally using such documents.
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 194 (public servants) can be
criminally sanctioned with imprisonment between 10
and 15 years.
•
Violations of article 196 (general public) can be
criminally sanctioned with imprisonment between 5 and
10 years.
•
Violations of article 196 (general public) can be
criminally sanctioned with imprisonment between 1
month and 1 year.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
159
RAND Europe
Reference
National Profiles
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Illegal access to information systems is punished by Article
relation to ID theft
550bis of the Criminal Code, including particularly:
•
§1: accessing an information
authorisation (external hacking);
system
without
•
§2: exceeding one’s access rights to an information
system (internal hacking);
•
§3: copying data from a hacked system, using the hacked
system to gain access to another system or causing
damage (even unintentionally) to the hacked system or
any other system in connection with the hacking;
•
§5: producing, owning or distributing any devices
(including
software
or
data
such
as
usernames/passwords) which were primarily designed or
modified to commit the aforementioned crimes;
•
§7: keeping, revealing or otherwise using data obtained
from a hacked system.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, or to steal credentials from such a system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of §1 can be criminally sanctioned with fines
of 143 to 137.500 EUR and/or imprisonment between 3
months and 1 year. When committed with deceptive
intent, imprisonment will be between 6 months and 2
years.
•
Violations of §2 can be criminally sanctioned with fines
of 143 to 137.500 EUR and/or imprisonment between 6
months and 2 years.
•
Violations of §3 can be criminally sanctioned with fines
of 143 to 275.000 EUR and/or imprisonment between 1
and 3 years.
•
Violations of §5 and 7 can be criminally sanctioned with
fines of 143 to 550.000 EUR and/or imprisonment
between 6 months and 3 years.
Cybercrime – illegal data interference
160
RAND Europe
National Profiles
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Illegal data interference is punished by Article 550ter of the
relation to ID theft
Criminal Code, including particularly:
•
§1: entering, changing or deleting information in an
information system without authorisation or altering its
normal use by any technical means;
•
§2: causing damage to the data in an information system
as a result of committing the crime in §1;
•
§3: impeding the correct functioning of an information
system as a result of committing the crime in §1;
•
§4: producing, owning or distributing any devices
(including
software
or
data
such
as
usernames/passwords) which were primarily designed or
modified to commit the aforementioned crimes,
knowing that these could be used to damage data or to
disrupt the functioning of an information system.
This would apply to any ID theft incidents involving the
falsifying of identity information stored in an information
system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of §1 can be criminally sanctioned with fines
of 143 to 137.500 EUR and/or imprisonment between 6
months and 3 years. When committed with deceptive
intent or intent to cause harm, imprisonment will be
between 6 months and 5 years.
•
Violations of §2 can be criminally sanctioned with fines
of 143 to 412.500 EUR and/or imprisonment between 6
months and 5 years.
•
Violations of §3 can be criminally sanctioned with fines
of 143 to 550.000 EUR and/or imprisonment between 1
and 5 years.
•
Violations of §4 and 7 can be criminally sanctioned with
fines of 143 to 550.000 EUR and/or imprisonment
between 6 months and 3 years.
Cybercrime – computercomputer-related forgery
161
RAND Europe
National Profiles
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Computer-related forgery is punished by Article 210bis of the
relation to ID theft
Criminal Code, including particularly:
•
§1: committing forgery by entering, changing or deleting
information in an information system or altering its
normal use by any technical means, in such a way that it
effects the legal impact of such data;
•
§2: using data while knowing that it was forged as
described in §1.
This would apply to, for example, any ID theft incidents
involving the use of false identity information in an information
system to change its legal impact (eg, changing the name of the
holder of a bank account, or performing banking transactions
under someone else’s name).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of §1 and §2 can be criminally sanctioned
with fines of 143 to 550.000 EUR and/or imprisonment between
6 months and 5 years.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code (Strafwetboek / Code Pénal)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions
provisions in Computer-related fraud is punished by Article 504quater of the
relation to ID theft
Criminal Code, including particularly §1: any act aiming to
unlawfully appropriate someone else’s property by entering,
changing or deleting information in an information system or
altering its normal use by any technical means.
This would apply to, for example, any ID theft incidents
involving the modification of information systems in order to
obtain usernames/passwords (eg, phishing).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of §1 can be criminally sanctioned with
fines of 143 to 550.000 EUR and/or imprisonment between 6
months and 5 years.
Application in practice
162
RAND Europe
National Profiles
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of data protection laws, since personal data of the victim
would likely be unlawfully processed to make the false identity
believable (eg, publication of the victim's name, address, photo, etc.);
- violation of communication secrecy laws, if the false profile results
in messages being sent to the false profile which were intended for
the real recipient;
- forgery and/or computer-related forgery, if the forgery changed the
legal impact of the information;
- fraud and/or computer-related fraud, if the false identity was used
to unlawfully appropriate property.
Case
available?
law Yes. In 2002, the criminal court of first instance in Liège ruled on a
case in which a visitor created a false identity on a discussion forum.
Using this false identity, the person solicited other visitors of the
forum to send erotic messages to a phone number, which did not
belong to him. The court ruled that the use of the false identity
constituted fraud and stalking (a qualification as computer fraud was
not possible, as the relevant provisions had not yet been adopted at
the time of the crime).
The defendant was given a 3 year suspension of sentence, and was
ordered to pay damages to the victim.
A copy of the decision can be found here: http://internetobservatory.be/internet_observatory/pdf/legislation/jur/jur_be_200211-18.pdf
Unlawfully using another
another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if use of the
credentials can be qualified as unlawful access to data related to
163
RAND Europe
National Profiles
electronic communication (eg, to make bank transfers);
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation.
Case law available?
available?
Several cases are known, specifically in relation to using a third
party’s stolen credit card. After a ruling by the Supreme Court
(Hof van Cassatie / Cour de Cassation) in 2003, most criminal
courts have found this to constitute computer-related fraud.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
The most likely qualifications would be:
- fraud, since the use of a false document would be considered a
deception with a view of unlawfully appropriating tax payer
money.
- forgery of identity documents or documents proving an
employment relation (sanctioned, inter alia, by art. 198 and
following of the Criminal Code).
- fraud in the field of social security (ex, inter alia, art. 2 of the
Royal Decree of 31/5/1933 and art. 175 of the Royal Decree of
25/11/1991): these provisions sanction the fact to apply for social
benefits without being entitled to receive them, and thus cover
the situations of applications based on falsified documents.
Case law available?
The issue of social security frauds by means of falsified identity of
by means of falsified supporting documents is a serious issue that
has a big financial impact on the State's budget. According to the
Belgian government, in 2008 the public authorities paid 2,55
million Euro to people who applied for social security benefits
without any right to obtain them (these figures relate only to
employment benefits, so that the total undue expenditure by
social security authorities is definitely bigger).
The case law in the field is extensive: one notable case that can be
mentioned here is: Court of Brussels (Corr. Recht., 46ste k.),
21/5/2004: a person who falsified his identity documents in
order to obtain social benefits was sentenced (for this fact in
combination with other crimes) to 3 years imprisonment and
1.000 Euros of sanction.
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
164
RAND Europe
National Profiles
that records which usernames and passwords are
are used and communicates these to a
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
Case law available?
No known case law.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
- a violation of communication secrecy laws, if the personal
information contained data related to electronic communication (like
email addresses, IP addresses, etc.).
Case
available?
law Yes. In 2000, the criminal courts of Ghent ruled in a case in which a
hacker had collected ISP customer data (username, password, email
addresses and credit card numbers) which he subsequently released to
press agencies. The hacker was convicted for violation
communications secrecry laws, and fined 40.000 Belgian Francs
(approx. 1.000 EUR).
A copy of the decision can be found here: http://internetobservatory.be/internet_observatory/pdf/legislation/jur/jur_be_200012-11.pdf
No other notable case law has been identified.
165
RAND Europe
National Profiles
ID theft reporting mechanisms
eCops reporting site
To facilitate the reporting and effective follow-up of any Internet-based crime (including
electronic ID theft), a general reporting site called eCops was established (www.ecops.be).
The site acts as a single contact point, through which any Internet-based crime incidents
(eg, phishing) can be reported using standardised forms, with interfaces being available in
Dutch, French, German and English. Anonymous reports are possible; only the source
where the crime was observed is mandatory (a URL, chat server IP address, newsgroup…).
Reports submitted via the site are automatically transferred to the Federal Computer
Crime Unit (FCCU, http://www.polfed-fedpol.be/crim/crim_fccu_nl.php), which is the
section of the Federal Judicial Police responsible for the investigation of computer crime
incidents. The FCCU manages the eCops site, in collaboration with the Federal Public
Service of the Economy.
It should be noted that the eCops site is primarily aimed at allowing citizens to report
Internet crime that they have observed but of which they were not the victims. Victims of
such incidents (including ID theft) are recommended to contact their local police office
directly, who can in turn call upon the FCCU or one of its regional divisions (Regional
Computer Crime Units, RCCUs) to assist them in their investigations if needed104.
Other sites
Apart from eCops, several other sites play a mainly informative role with respect to ID
theft, including notably:
•
104
Specifically to allow the verification of the authenticity of identity documents
(principally
ID
cards
and
passports),
the
websites
CheckDoc
(https://www.checkdoc.be/) and DocStop (https://www.docstop.be/) were
established. CheckDoc is primarily targeted towards professional users (eg,
customs authorities abroad), allowing them to determine whether a Belgian ID
card is authentic on the basis of the identification number of the card, resulting in
a hit/no hit result. General information on the security characteristics of various
Belgian identity documents is also provided to allow a simple visual verification.
Actual follow-up of incidents falls within the competence of the Central Service
for Combating Forgeries (Centrale Dienst voor de Bestrijding van Valsheden /
L’Office central pour la répression des faux) within the Federal Judicial Police.
DocStop on the other hand is a site for Belgian citizens, allowing them to block
See http://www.polfed-fedpol.be/pub/brochures/pdf/FCCU-nl.pdf
166
RAND Europe
•
•
•
National Profiles
their eID cards in case of accidental loss or theft. The site primarily contains
contact information allowing citizens to contact the service directly.
The Internet Observatory (http://www.internet-observatory.be) is a website
managed by the Federal Public Service of the Economy, which disseminates
practical information on Internet usage in Dutch and French, including issues
such
as
ID
theft
(see,
for
example,
http://www.internetobservatory.be/protection_consumer/fraud_prevention/fraud_prevention_fr_004.
htm)
Web4Me
/
SaferInternet.be
(http://www.web4me.be/
/
http://www.saferinternet.be/): both of these websites aim to improve awareness of
basic Internet security through general tips and recommendations.
Arnaques
/
Consumentenbedrog
(http://www.consumentenbedrog.be/,
http://www.arnaques.be/): a site disseminating general information in relation to
consumer protection, including with respect to common Internet fraud attempts.
The site provides practical examples of incidents and recommendations to
improve consumer awareness.
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents in Belgium is
sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents
which are not covered under present legislation. The establishment of a contact point for
reporting Internet crimes in general (the aforementioned eCops portal) can also be
considered a positive development.
None the less, there are also a few weaknesses. Firstly, the eCops site is emphatically
promoted as a site for reporting Internet crimes by non-victims. Victims of ID theft are
still required to go through official channels (ie, registering a complaint with local police
offices). This process is still relatively intransparent to victims, and follow-up to such
complaints can be slow, depending on the availability of resources of the investigating
magistrates. ID theft does not appear to take a high priority in investigations, except in
cases of clear and significant harm to the victim.
Secondly, the investigation of incidents remains complicated in practice, especially in cross
border cases. Even when clear evidence of an ID theft incident can be found (eg, a fake
profile on a social networking website through which false information is being spread), it
can often prove difficult to convince the website operators to take the offending
information off-line, and even harder to obtain information from the operator that would
make it possible for local judicial authorities to investigate the crime further (eg, IP
addresses or mail addresses used by the offender). In practice, this appears to be the main
challenge to combating ID theft incidents.
167
RAND Europe
National Profiles
With respect to publicity, occasionally high profile incidents are reported in the
mainstream press. A recent case (published on 30 March 2010) involved an open letter
published in several national newspapers, denouncing the excessive consumption of
meat105, which was signed by a former representative of the Agricultural Union. In fact, it
was written by a well known Belgian author. In this case, the writer received a one year
suspended sentence, and was ordered to pay symbolic damages in the amount of 1 EUR
(in addition to 600 EUR which she paid voluntarily prior to the ruling). However, so far
such incidents have not had a strong impact on the public perception or policy regarding
identity theft.
105
See http://www.standaard.be/artikel/detail.aspx?artikelid=DMF20100330_100
168
RAND Europe
National Profiles
Bulgaria
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Bulgaria that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud, etc.). On
the other hand, Bulgarian Criminal Code contains numerous provisions which fix
punishments for specific crimes that may involve ID theft incidents.
No such legislation is currently under consideration to our knowledge. Instead, the policy
emphasis in Bulgaria is more focused on improving awareness of ID theft risks with
potential victims and law enforcement bodies.
Other laws that may apply to ID theft incidents
Privacy protection and data protection legislation
Data protection laws
Relevant law
Personal Data Protection Act (Закон за защита на личните
данни), valid as of 1 January 2002; promulgated in SG, issue 1
from 4 January 2002; last amendment promulgated in SG,
issue 42 from 5 June 2009.
Reference
See http://www.cpdp.bg/en/index.php?p=element&aid=128
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as it will
violate legitimacy requirements (article 4), proportionality
obligations and the purpose restriction (article 2(2)),
transparency obligations (article 19), security obligations (article
23) and formal obligations such as the prior notification to the
Bulgarian Personal Data Protection Commission (article 17).
Prescribed sanction
Apart from indemnifications that the victim may receive in civil
proceedings, the violations above can also be sanctioned as
administrative infringements with fines of BGN 500 to BGN
100.000 (approximately from 250 to 50.000 EUR). It must be
noted that the violation of the requirements of the Personal Data
Protection Act themselves are not crimes under Bulgarian
legislation.
169
RAND Europe
National Profiles
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant law
Electronic Communications Act (Закон за електронните
съобщения), promulgated in SG, issue 41 from 22 May 2007,
last amendment promulgated in SG, issue 17 from 2 March
2010.
Reference
See http://www.crc.bg/files/_en/ZES_ENG.pdf
Main provisions in Article 246 of this Act explicitly prohibits listening, tapping,
relation to ID theft
storage or any other kind of interception or surveillance of
electronic communications by a third person that is not the
sender or the recipient without their explicit consent, unless it is
provided by law. This prohibition does not apply to the providers
of electronic communications networks and/or of electronic
communications services when the storage is necessary for
technical reasons or it is substantial part of the provision of the
services, as well as when it is performed by authorized persons for
the purposes of monitoring of the technical parameters of the
services. In these cases the provider must destroy the stored
electronic communications immediately when the reasons for
that storage fell away.
The prohibition concerns any unlawful acts in which a third
party tries to obtain information on the existence of someone
else’s electronic communications or to obtain traffic data related
to those communications. Also, it covers to any unlawful acts in
which a third party tries to obtain access to any other data which
may reveal that content (eg, usernames/passwords).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of the rules for protecting the confidentiality
of the communications and the traffic data related to the
communications transferred via an electronic
communication network may be sanctioned with fines of
BGN 1.000 to BGN 10.000 (approximately from 500 to
5.000 EUR), unless the respective violation constitutes a
crime. Since the unlawful access to the content of
electronic communications is a crime, the above sanction
generally applies to cases where the perpetrator obtains
access to data which may reveal the content of electronic
communications but does not access the content itself.
•
For interference or/and changing the content of third
parties’ electronic communications in a public electronic
communications network fines of BGN 200 to BGN
2.000 (approximately from 100 to 1.000 EUR) may be
170
RAND Europe
National Profiles
imposed, unless the respective act constitutes a crime.
•
An official who abuses the data retained in compliance
with requirements of the Data Retention Directive
2006/24/EC may be sanctioned with fines of BGN
1.000 to BGN 10.000 (approximately from 500 to
5.000 EUR), unless the respective violation constitutes a
crime.
Communications
Communications secrecy laws – contents of electronic communication
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in According to the Constitution of the Republic of Bulgaria
relation to ID theft
(Конституция
на
Република
България,
http://www.vks.bg/english/vksen_p04_01.htm)
the
confidentiality of correspondence and of all other
communications is inviolable. The fundamental right covers all
kind of communications and forbids all kind of unlawful actions
or omissions which may violate that confidentiality. Regarding
the confidentiality of the electronic communications the general
constitutional rule is repeated with more details in the above
cited Art. 246 of the Electronic Communications Act. The
violation of the correspondence confidentiality (including all
kind of electronic communications) is criminalized under
Bulgarian law.
A person who accesses or through other actions finds out the
content of a communication which is sent electronically and is
not addressed to him/her may be prosecuted under Art, 171,
para. 1, item 3 of the Criminal Code. A person who diverts a
communication sent electronically from his/her actual addressee
will be also held liable under Art. 171, para. 1, item 3 of the
Criminal Code.
If any of the above mentioned criminal acts is committed by an
official, he/she will be prosecuted under Art. 171, para. 2 of the
Criminal Code. The difference between Art. 171, para. 1 and
Art. 171, para. 2 is the scope and the punishment – Art. 171,
para. 2 applies only to officials who abuse their positions when
committing the above mentioned criminal act and respectively,
the punishment is more severe.
A person who unlawfully accesses and finds out the content of a
communication which is sent via telephone, telegraph, computer
171
RAND Europe
National Profiles
network or via other kind of electronic communications means
and is not addressed to him/her, by using special technical
means, will be held liable under Art. 171, para 3 of the Criminal
Code. If this criminal act is committed with mercenary intent or
causes significant damages the perpetrator will be prosecuted
under Art. 171, para. 4 of the Criminal Code which provides for
more severe punishment. This provision will apply to all
incidents of ID theft involving recording of electronic
communications.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations under Art. 171, para. 1, item 3 (general) can
be criminally sanctioned with imprisonment up to 1 year
or with fines of BGN 100 to BGN 300 (approximately
from 50 to 150 EUR).
•
Violations under Art. 171, para. 2 (officials) can be
criminally sanctioned with imprisonment up to 2 years.
In this case the court may also impose an additional
punishment – deprivation of the right to hold certain
state or public position.
•
Violations under Art. 171, para. 3 (usage of special
technical means) can be criminally sanctioned with
imprisonment up to 2 years.
•
Violations under Art. 171, para. 4 (usage of special
technical means and mercenary intent or causing
significant damages) can be criminally sanctioned with
imprisonment up to 3 years and fines up to BGN 5.000
(approximately up to 2.500 EUR).
Criminal law
Fraud
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in Fraud in general is punished by Article 209 and the following of
relation to ID theft
the Criminal Code. These articles sanction any act of deceiving
theft
or maintaining deceit someone (including use of false names or
titles, or any other type of deceptive manipulation or abuse of
good faith or credulity) for the purposes of appropriation
172
RAND Europe
National Profiles
property for himself/herself or for a third party and in this way
causes damages to the deceived or to another person. Also, these
articles sanction any act of using such deception if in such a way
the perpetrator causes damages the deceived or to another person.
These provisions would apply to any ID theft incidents involving
falsification of identity for the purposes of appropriation
property.
When for the purposes of the fraud and in particular for
obtaining somebody else’s property a forged, false or unauthentic
document is used the perpetrator will be held liable for the so
called documentary fraud under Art. 212 of the Criminal Code.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Art. 209 and the following can be
criminally sanctioned with imprisonment up to 10 years. The
punishments are differentiated depending on that how grave the
committed criminal act is. In certain cases, along with the
imprisonment the court may impose confiscation of up to the
half property of the convicted person.
Apart from damages that the victim may receive in civil
proceedings, violations of Art. 212 can be criminally sanctioned
with imprisonment up to 20 years. Again the punishments are
differentiated depending on that how grave the committed
criminal act is. For certain cases the court may impose also
additional sanctions: (1) deprivation of the rights to hold certain
state or public position and of the right to exercise certain
profession and/or (2) confiscation of a part or of all property of
the convicted person.
The Criminal Code provides for not so severe punishments if the
convicted person returns back or replaces before the end of the
court proceeding before the first instance the property
appropriated through the committed documentary fraud.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in Forgery is punished by Article 308 and following of the Criminal
relation to ID theft
Code, including particularly:
•
Art. 308, para. 1: forgeries of official documents;
•
Art. 308, para. 2: forgeries of specific documents as ID
173
RAND Europe
National Profiles
papers or papers certifying the civil status (family status;
birth or death certificates, etc.), notary certified
documents or notary deeds, diplomas, etc.
Prescribed sanction
•
Art. 308, para. 3: forgeries under Art. 308, para. 1 and 2
committed for appropriating property.
•
Art. 309: forgeries of private documents and their use
after that;
•
Art. 310: forgeries of official documents committed by
officials within their official functions;
•
Art. 315: forgeries committed by using someone’s
signature through introduction in a signed blank sheet
statements which do not fit to the signatory’s will as well
as forgeries committed by misleading someone to sign a
document which does not fit to his/her will;
•
Art. 318: unlawful use of official document issued for
another person for deceiving a state authority or
representative of the public.
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of article 308, para. 1 (official documents) can
be criminally sanctioned with imprisonment up to 3
years.
•
Violations of article 308, para. 2 (specific documents like
ID papers) can be criminally sanctioned with
imprisonment up to 8 years.
•
Violations of article 308, para. 3 (forgeries for
appropriating property) can be criminally sanctioned
with imprisonment up to 10 years. The appropriated
property or its pecuniary value is subject to confiscation
by the state.
•
Violations of article 309 (forgeries of private documents
like contracts and others) can be criminally sanctioned
with imprisonment up to 2 years or up to 3 years
(forgeries of securities).
•
Violations of article 310 (officials) can be criminally
sanctioned with imprisonment up to 5 years and with
deprivation of the right to hold certain state or public
position.
•
Violations of article 315 (forgeries related to the use of
someone else’s signature) can be criminally sanctioned
174
RAND Europe
National Profiles
with the same punishments as per Art. 308 and 309 (see
above).
The same punishments as those listed above may be imposed also
in cases when the perpetrator uses a forge or false document
though he/she cannot be held liable for the forgery itself (Art.
316 of the Criminal Code).
Apart from damages that the victim may receive in civil
proceedings violations of article 318 (use of official document
issued for somebody else) can be criminally sanctioned with
imprisonment up to 2 years or probation or with fines of BGN
100 to BGN 300 (approximately from 50 to 250 EUR).
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in Illegal access to information systems is punished by Article 319a
relation to ID theft
of the Criminal Code, including particularly:
theft
•
Para. 1 and 2: copying, using of or accessing to
computer data in a computer system without
authorisation if such is required (external hacking).
Paragraph 2 concerns cases when the criminal act is
committed by more than 1 persons who agreed in
advance for the respective actions;
•
Para. 3: copying, using of or accessing to computer data
in a computer system without authorisation when these
data is related to the creation of an electronic signature;
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to a computer
system, or to steal credentials from such a system.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Art. 319a, para. 1 can be criminally
sanctioned with fines amounting up to BGN 3.000
(approximately 1.500 EUR).
•
Violations of Art. 319a, para. 2 can be criminally
sanctioned with fines amounting up to BGN 3.000
(approximately 1.500 EUR) or with imprisonment up to
175
RAND Europe
National Profiles
1 year.
•
Violations of Art. 319a, para. 3 (concerning data related
to the creation of an electronic signature) can be
criminally sanctioned with fines amounting up to BGN
5.000 (approximately 2.500 EUR) or with
imprisonment up to 3 years.
•
Violations of Art. 319a which concern state or other
secret protected by law can be criminally sanctioned with
imprisonment between 1 and 3 years if it is not subject
to more severe sanction.
•
Violations of Art. 319a with grave consequences can be
criminally sanctioned with imprisonment between 1 and
8 years.
Cybercrime – illegal data interference
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in Illegal data interference is punished by Article 319b of the
relation to ID theft
Criminal Code, including particularly any addition, change,
deletion or destruction of a computer program or computer data
without the authorization by the person that administrates or
uses the respective computer system.
The introduction/instalment without authorization of a
computer virus or another computer program which is designed
to disturb the functioning of a computer system or a computer
network or to gather, to erase, to delete, to change or to copy
computer data is punished by Art. 319d, unless the committed
act constitutes graver crime.
This would apply to any ID theft incidents involving the
falsifying of identity information stored in a computer system
system.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Art. 319b can be criminally sanctioned
with fines amounting up to BGN 5.o00 (approximately
2.500 EUR) and/or with imprisonment up to 3 years.
•
Violations of Art. 319c can be criminally sanctioned
with fines amounting up to BGN 3.000 (approximately
176
RAND Europe
National Profiles
1.500 EUR). When the violation causes significant
damages or it is committed again, it can be criminally
sanctioned with fines amounting up to BGN 3.000
(approximately 1.500 EUR) and with imprisonment up
to 3 years.
•
Violations of Art. 319d can be criminally sanctioned
with imprisonment up to 1 year. When committed with
mercenary intent or caused significant damages or
consequences, it can be sanctioned with imprisonment
up to 3 years.
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in When the illegal data interference concerns data which according
relation to ID theft
to the law is supposed to be submitted electronically or on a
theft
magnet, optical or other medium, the perpetrator will be held
liable under Art. 319c of the Criminal Code.
The provision of Art. 319c does not refer to typical computerrelated forgery. However, it would apply to any ID theft
incidents involving the changing identity information which
according to the law is submitted electronically or on a magnet,
optical or other medium.
Person, who for the purposes of appropriating property enters,
changes, deletes or erases computer data without being
authorized to do so will be held liable under Art. 212a, para. 2 of
the Criminal Code. This would apply to any ID theft incidents
involving the creation of false identity information in a computer
system for the purposes of appropriating property. It must be
noted that the provision of Art. 212a, para. 2 is systematically
part of the provisions concerning fraud.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Art. 319c can be criminally sanctioned
with fines amounting up to BGN 3.000 (approximately 1.500
EUR). When the violation causes significant damages or it is
performed again, it can be criminally sanctioned with fines
amounting up to BGN 3.000 (approximately 1.500 EUR) and
with imprisonment up to 3 years.
Apart from damages that the victim may receive in civil
177
RAND Europe
National Profiles
proceedings, violations of Art. 212a, para. 2 can be criminally
sanctioned with fines amounting up to BGN 6.000
(approximately 3.000 EUR) and with imprisonment between 1
and 6 years.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in Computer-related fraud is punished by Article 212a, para. 1 of
relation to ID theft
the Criminal Code, including particularly any act aiming to
unlawfully appropriate someone else’s property by deceiving or
maintaining deceit somebody through entering, changing,
deleting or erasing computer data or through using someone
else’s electronic signature.
This would apply to any ID theft incidents involving the
modification of information in computer systems in order to
obtain usernames/passwords (eg, phishing) or using false identity
by using someone else’s electronic signature.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of Art. 212a, para. 1 can be criminally
sanctioned with fines amounting up to BGN 6.000
(approximately 3.000 EUR) and with imprisonment between 1
and 6 years.
Cybercrime – Disseminating passwords and codes for access to computer system
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in Any dissemination or disclosure of passwords or codes for access
relation to ID theft
to computer system which leads to disclosure of personal data or
state or other protected by law secret is punished by Art. 319e of
the Criminal Code.
This would apply to ID theft incidents involving trafficking or
transferring of personal information.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Art. 319e, para. 1 can be criminally
178
RAND Europe
National Profiles
sanctioned with imprisonment up to 1 year. When committed
with mercenary intent or caused significant damages, it can be
criminally sanctioned with imprisonment up to 3 years.
Usage of a payment instrument or data from a payment
payment instrument without the
consent of its owner
Relevant law
Criminal Code (Наказателен кодекс), valid as of 1 May 1968,
promulgated in SG, issue 26 from 2 April 1968, last amendment
promulgated in SG, issue 102 from 22 December 2009.
Reference
See http://www.vks.bg/english/vksen_p04_04.htm
Main provisions in The usage of a payment instrument and the usage of data from
relation to ID theft
such an instrument without the consent of the owner/titular of
theft
the respective payment instrument is punished by Art. 249, para.
1 of the Criminal Code, unless it is a graver crime.
The creation, instalment or usage of technical means for the
purposes of obtaining information about the content of a
payment instrument is punished by Art. 249, para. 3.
Respectively, the storage or the provision of such information is
punished by Art. 249, para. 4 of the Criminal Code.
A person who performs bank transfers by using forged or false
documents will be held liable under Art. 250 of the Criminal
Code.
The above provisions would apply to ID theft incidents involving
stealing payment instruments credentials and usage of false
identity for the purposes of using someone else’s payment
instruments.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Art. 249, para. 1 can be criminally
sanctioned with fines of double amount of the received
sum and with imprisonment between 2 and 8 years.
•
Violations of Art. 249, para. 3 or 4 can be criminally
sanctioned with fines of double amount of the received
sum and with imprisonment between 1 and 8 years.
•
Violations of Art. 250 can be criminally sanctioned with
fines of double amount the respective bank transfer and
with imprisonment between 1 and 10 years.
Application in practice
179
RAND Europe
National Profiles
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
photo, etc.);
- violation of communication secrecy laws, if the false profile
results in messages being sent to the false profile which were
intended for the real recipient;
- computer-related forgery, the creation or the usage of the false
profile is related to any unauthorized entering, change, deletion
or erasure of computer data if the respective false profile is used
for appropriating property;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property.
Case law available?
No known case law.
Unlawfully
Unlawfu lly using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if use of the
credentials can be qualified as unlawful access to data related to
electronic communication, to access electronic communications
content or to diverts these communications from their actual
addressee;
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation
- illegal usage of a payment instrument or data from a payment
instrument without the consent of its owner, if the credentials
180
RAND Europe
National Profiles
concern such a payment instrument or were used for the creation
of such false payment instrument; also if the credentials and the
respective false identity were used for performing bank transfers.
Case law available?
Several cases are known, specifically in relation to: unlawful
obtaining data related to third party’s bank cards by using special
technical means; reproduction of false plastic copies of bank cards
by using unlawfully obtained data regarding such bank cards and
respectively, usage of someone else’s bank card or a plastic copy
of such a card.
In Case No 159 of 2007 the Bourgas Regional Court found the
accused guilty of using another person’s debit card without his
knowledge or approval.
In Case No 291 of 2009 before the Sofia Court of Appel the
accused made and used plastic copies of real credit cards
containing all necessary information to make a bank transfer and
were found guilty of using these cards.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log
log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to traffic data or
other data which may reveal the content of the electronic
communication;
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal data interference, if the act of phishing involved entering,
changing or deleting information in a computer system without
authorisation (eg, in order to falsify a website) or installation of a
computer virus or another computer program in a third party’s
computer system without authorization.
Case law available?
No known case law.
Using spyware to obtain identity information
informat ion (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
181
RAND Europe
National Profiles
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data which may
reveal the content of electronic communications;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
Case law available?
Criminal Code provides that the installation in a computer
system without authorisation of any computer programme
intended to gather, to erase, to delete, to change or to copy
computer data is a crime. The respective provisions however,
have not yet been applied in practice.
Case law exists, however, regarding the use of a method for
obtaining identity information and credentials by using a
combination of hardware and software. In Case No 337 of 2008
of the Bourgas Regional Court the court found the accused guilty
of mounting a special technical device on an ATM device,
through which he had acquired information contained in bank
cards used on that ATM.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
- a violation of communication secrecy laws, if the personal
information contained traffic data or data which may reveal the
content of electronic communications
- illegal dissemination of information which dissemination is
prohibited by law;
182
RAND Europe
National Profiles
- illegal dissemination or disclosure of passwords or codes for
access to computer system which leads to disclosure of personal
data or state or other protected by law secret if the trafficked data
contains such details.
Case law available?
Yes. In Case No 25 of 2008 the Sliven Military Court found the
defendant guilty of disclosing personal data (including names,
personal identification numbers, addresses, and photos) belonging
to a group of natural persons, to a single natural person who was
not entitled to access the data.
Copy of the decision could be found here: http://www.rsslivnitza.org/acts.html?filter=filter&filters[case_number]=284&filt
ers[case_year]=2007&filters[ingoing_number]=&commit=%D0%
A2%D1%8A%D1%80%D1%81%D0%B8
Claiming false identity – nonnon-electronically (eg, using someone else’s ID documents
or false ID documents or forgery of ID documents)
documents)
Applicable law(s)
The act of claiming non-electronically false identity would likely
be:
- a violation of the data protection act if the personal information
have been unlawfully processed (for creation of false documents);
- forgery of official documents if such have been changed;
- fraud or documentary fraud if the false identity was used to
unlawfully appropriate property.
Case law available?
In Case No 284 of 2007 the Slivnitza District Court found the
defendant guilty for using another person’s valid identification
document (passport) with the purpose to deceive the bodies of
the customs administration and create the false belief that she is
the person to whom the passport belongs.
In Case No 37 of 2006 of the Sofia Military Court the court
found the accused guilty for using a forged passport when trying
to cross the state border. The passport had not been entirely
created by the criminal. It had been legally issued to another
person, but after that illegal changes had been introduced to its
contents, which was enough for it to be considered counterfeit.
In Case No 1278 of 2007 before the Kazanlak District Court the
defendant was found guilty of fraud under. He created entirely
unauthentic documents – an invoice and a sale contract and then
used them to prove the existence of a contract between a certain
natural person and a legal entity.
183
RAND Europe
National Profiles
ID theft reporting mechanisms
Official website for combat against cybercrimes
To facilitate the reporting and effective follow-up of Internet-based crime and, in
particular, of phishing, a site under the control of the law enforcement department
competent for investigation of cybercrimes with the Bulgarian Ministry of the Interior was
established (http://www.cybercrime.bg/index.html). The site acts as a single contact point
through which Internet-based crime incidents (eg, phishing) can be reported using
standardised form with interface available in Bulgarian. Anonymous reports are possible.
The website allows submission of description of the respective incident and email contact
for feedback (it is not mandatory).
This website also contains useful and comprehensible information on some cybercrimes,
including on the risk of ID theft incidents on the Internet and how citizens can protect
themselves against such attacks.
Other sites
Apart from the above specialized website, the website of the Bulgarian Personal Data
Protection Commission (http://www.cpdp.bg/?p=pages&aid=6) allows online submission
of any complaints related to any violation of data protection legislation. For submitting
valid complaint a name, valid email and address are required. On the basis of such an
online complaint the Commission initiates respective inspection which may end up with
obligatory prescriptions to the data controller that has violated the law or even with
imposing a sanction.
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents in Bulgaria is
sufficiently comprehensive as there do not appear to be any examples of ID theft incidents
which are not covered under present legislation. The establishment of a contact point for
reporting cybercrimes in general (the aforementioned website for combat against
cybercrimes) can also be considered as a positive development.
Nonetheless, there are a few weaknesses. Firstly, the above mentioned website is not
subject to update or further development. Also, it is not very well promoted among the
public. In practice, victims of ID thefts are still required to go through official channels (ie,
registering a complaint with local police offices).
Secondly, the investigation of incidents remains complicated in practice, especially in cross
border cases. Numerous cases cannot end up with effective sentence because of significant
184
RAND Europe
National Profiles
mistakes and procedural infringements during the investigation and the collection of
evidence.
Also, even when clear evidence of an ID theft incident can be found (eg, a fake profile on a
social networking website through which false information is being spread), it can often
prove difficult to convince the website operators to take the offending information off-line,
and even harder to obtain information from the operator that would make it possible for
the victim to protect his/her privacy (eg, IP addresses or mail addresses used by the
offender). In practice, this appears to be the main challenge to combating ID theft
incidents. The reason is that there is no regulation focused specifically on the online ID
theft incidents which are not related to a fraud or other mercenary purpose but result only
in moral damages. Such cases are not treated as crimes and respectively are not subject to
criminal investigation. In this respect such violations can be sanctioned only as
administrative infringements regardless how serious are their consequences for the privacy
and for the intimate life of the victim. Also, since such actions are not crimes the options
for obtaining information about the perpetrator are limited and respectively. The further
development of the penal legislation and introduction of specific provisions in this context
seems more and more topical with a view to the rising popularity of the social networks.
185
RAND Europe
National Profiles
Canada
Laws focusing explicitly on ID theft
On the 31st of March 2009 the Act to amend the Criminal Code (identity theft and related
misconduct), Bill S-4,106 was introduced in the Canadian Senate. With its coming into
force on the 8th of January 2010, the bill, which – with a few additional offences - covers
the same provisions already proposed in 2007 by Bill C27,107 has amended the Criminal
Code to cover identity-related crimes. In particular the bill aims to close the gap with
respect to certain activities not previously covered by other provisions of the Criminal
Code, such as preparatory activities.108
Other laws that may apply to ID theft incidents
Privacy protection and data protection legislation
There are some central federal laws regulating privacy and data security, the most
important of which we are going to present below. However, given the federal structure of
Canada, there are also several privacy laws implemented at state and province level.
Ontario for example has the Ontario ‘Freedom of Information and Protection of Privacy
Act,’109 the ‘Municipal Freedom of Information and Protection of Privacy Act,’110 and the
‘Personal Health Information Protection Act,’111 Additional information on the individual
state level legislation can be found on the website of the Information and Privacy
Commissioner of Ontario.112 A new law, Bill C-27: Electronic Commerce Protection Act
(ECPA), was proposed in 2009, but it has not been reintroduced.113 The ECPA would
106
S-4 An Act to amend the Criminal Code (identity theft and related misconduct), 40th Parliament - 2nd
Session (Jan. 26, 2009-Dec. 30, 2009). Available at:
http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&Session=22&query=5778&List=toc
107
Bill C-27, 39th Parliament 2nd Session, introduced in Parliament November 21, 2007. Available at:
http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&query=5333&Session=15&List=toc.
108
Legislative Summary of the Bill S-4: An Act to Amend the Criminal Code (Identity Theft and Related
Misconducts), 2009. Available at:
http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&query=5778&Session=22&List=ls
109
Available at: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm
110
Available at: http://www.search.e-laws.gov.on.ca/en/isysquery/1385d774-050f-4aca-83c6e318d815c202/8/doc/?search=browseStatutes&context=#hit1
111
Available at http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm
112
See: http://www.ipc.on.ca/english/Resources/Legislation/Legislation-Summary/?id=453
113
Bill C-27: Electronic Commerce Protection Act (2nd Session of the 40th Parliament). Available at:
http://www2.parl.gc.ca/Sites/LOP/LegislativeSummaries/Bills_ls.asp?lang=E&ls=c27&source=library_prb&Par
l=40&Ses=2
186
RAND Europe
National Profiles
have provided the regulation (including administrative monetary penalties), with respect to
spam and related threats such as identity theft, phishing, spyware, and viruses. Additional,
the ECPA would have granted a right of civil action to businesses and consumers targeted
by the perpetrators of such activities.
Data protection law (regarding the collection, use, and disclosure of individual data
by organizations)
Relevant law
Personal Information Protection and Electronic Documents Act
(PIPEDA)
Reference
See http://laws.justice.gc.ca/en/P-8.6/
Main provisions in PIPEDA applies to organizations, and their collection, use or
relation to ID theft
disclose of personal information in the course of commercial
activities.114
‘Personal information’ is defined as ‘information about an
identifiable individual’, other than ‘name, title or business
address or telephone number of an employee of an organization.’
This definition includes email addresses that are traceable to the
individual, as well as information that does not permit
identification of an individual but relates to an identifiable
individual (for instance, his or her shopping preference).
Prescribed sanction
Under PIPEDA, individuals can submit complaints to the
Privacy Commissioner. The Commissioner has to conduct an
investigation in response to such a complaint. She can however
also launch an investigation on her own initiative. Subsequently,
the Commissioner has the right to issue non-binding
recommendations based on her findings. Following this step
both, the individual or the Commissioner can seek legal
enforcement at a Federal Court. The court is entitled to order
corrective practices, publication of the notice regarding corrective
practices, damages (incl. for humiliation), and other remedies.
Data protection law (regarding the collection, use, and disclosure of individual data
by the government)
Relevant law
Privacy Act
Reference
See http://laws.justice.gc.ca/en/P-21/index.html
Main provisions in This Act aims to protect the privacy of individuals with respect to
personal information about them that is held by a government
114
Given Alberta, British Columbia, Quebec, as well as Ontario (with respect to personal health information)
have enacted equivalent privacy laws, PIPEDA does in general not apply to these jurisdictions
187
RAND Europe
relation to ID theft
National Profiles
institution, and it regulates the individuals’ right of access to that
information.
‘Personal information’ is defined as ‘information about an
identifiable individual that is recorded in any form’, and includes
amongst others ‘a) information relating to the race, national or
ethnic origin, colour, religion, age or marital status of the
individual, (b) information relating to the education or the
medical, criminal or employment history of the individual or
information relating to financial transactions in which the
individual has been involved, (c) any identifying number, symbol
or other particular assigned to the individual, (d) the address,
fingerprints or blood type of the individual, (e) the personal
opinions or views of the individual except where they are about
another individual or about a proposal for a grant, an award or a
prize to be made to another individual by a government
institution or a part of a government institution specified in the
regulations, (f) correspondence sent to a government institution
by the individual that is implicitly or explicitly of a private or
confidential nature, and replies to such correspondence that
would reveal the contents of the original correspondence,’
Without the consent of the respective individual, the government
entity holding personal information is not allowed to disclose the
information. Exceptions are established by the Act in section 8(1)
and include amongst others the case where another legislative act
authorizes such disclosure, or if it is requested by a subpoena or
warrant issued or order made by a court, to the Attorney General
of Canada for use in legal proceedings involving the Crown in
right of Canada or the Government of Canada.
According to the act every government institution has to make
sure that personal information about an individual is included in
the institution’s personal information bank(s).
Section 12. (1) finally grants the individual right of access to ‘(a)
any personal information about the individual contained in a
personal information bank; and (b) any other personal
information about the individual under the control of a
government institution with respect to which the individual is
able to provide sufficiently specific information on the location of
the information as to render it reasonably retrievable by the
government institution.’
Prescribed sanction
sanction
Under section 41 of the Privacy Act, an individual may request a
hearing before the Federal Court of Canada only in relation to a
refusal by a government institution to provide an individual
access to his or her personal information held by the government
institution about which a complaint was made to the Privacy
188
RAND Europe
National Profiles
Commissioner of Canada.
Criminal law
Identity theft
Relevant law
Criminal Code
Reference
See
http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Langu
age=E&Session=22&query=5778&List=toc, and
http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Langu
age=E&Chamber=N&StartList=A&EndList=Z&Session=22&Ty
pe=0&Scope=I&query=5778&List=toc-1
Main provisions in Section 402 is the central identity theft provision. It criminalizes
relation to ID theft
everyone who:
knowingly obtains or possesses another person’s identity
information in circumstances giving rise to a reasonable
inference that the information is intended to be used to
commit an indictable offence that includes fraud, deceit or
falsehood as an element of the offence.
transmits, makes available, distributes, sells or offers for sale
another person’s identity information, or has it in their
possession for any of those purposes, knowing that or being
reckless as to whether the information will be used to commit
an indictable offence that includes fraud, deceit or falsehood as
an element of the offence.
‘Indictable offence’ refers to any of the following: (a) section 57
(forgery of or uttering forged passport); (b) section 58 (fraudulent
use of certificate of citizenship); (c) section 130 (personating peace
officer); (d) section 131 (perjury); (e) section 342 (theft, forgery,
etc., of credit card); (f) section 362 (false pretence or false
statement); (g) section 366 (forgery);(h) section 368 (use,
trafficking or possession of forged document); (i) section 380
(fraud); and (j) section 403 (identity fraud).
‘Identity information’ is defined as information ‘commonly used
alone or in combination with other information to identify or
purport to identify an individual.’ Examples for such information
are: name, address, date of birth, written, electronic or digital
signature, Social Insurance Number, health insurance or driver’s
licence number, credit or debit card number, number of an
account at a financial institution, passport number, user code,
password, fingerprint or voice print, retina or iris image, or DNA
189
RAND Europe
National Profiles
profiles.
Prescribed sanction
This is a hybrid offence115 for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 5 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail, or both. Additionally, subsection 738(1)(d) enables
the court to order the offender - as part of the sentence - to pay
restitution (covering expenses incurred to re-establish the identity,
including expenses to replace the identity documents and to
correct the credit history and credit rating) to a victim.
Identity fraud
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-2.html
Main provisions in Section 403 of the Criminal Code criminalizes any fraudulent
relation to ID theft
impersonation of a person (living or dead) with the intent to a)
gain any advantages for oneself or another person, b) obtain
property or an interest in a property, c) cause a disadvantage to
another person, or d) avoid arrest or prosecution, or obstruct,
pervert or defeat the course of justice. This provision covers also
identity-related crimes of non-economic nature, but does not
extent to the fraudulent use of a fictitious identity.
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail, or both. Additionally, subsection 738(1)(d)
enables the court to order the offender - as part of the sentence to pay restitution (covering expenses incurred to re-establish the
identity, including expenses to replace the identity documents
and to correct the credit history and credit rating) to a victim.
115
Canadian criminal law groups offences in three different prototypes a) summary conviction offences, which
are minor offences, that are – unless a different penalty is specified – punished by a fine of no more than
$5000, or six months of jail, or both; b) indictable offences, which are more serious and where the offender is
in general entitled to a trial by jury, and c) hybrid offences, that can be prosecuted either as summary
convictions or indictments. In the latter case the Crown can decide on the mode of prosecution. See:
http://www.defencelaw.com/classification.html
190
RAND Europe
National Profiles
Unlawfully ordering, possessing, or trafficking of identity documents
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-2.html
Main provisions in Section 56.1(1) criminalizes everyone who without a lawful
relation to ID theft
reason procures to be made, possesses, transfers, sells or offers for
sale an identity document that relates or purports to relate, in
whole or in part, to another person.
Identity document is defined as Social Insurance Number card, a
driver’s licence, a health insurance card, a birth certificate, a
death certificate, a passport, a document that simplifies the
process of entry into Canada, a certificate of citizenship, a
document indicating immigration status in Canada, a certificate
of Indian status or an employee identity card that bears the
employee’s photograph and signature, or any similar document,
issued or purported to be issued by a department or agency of the
federal government or of a provincial or foreign government.
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 5 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Forgery
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 366 criminalizes the making of a false document, as well
relation to ID theft
as the altering of a genuine document with the intent that it is
treated as a genuine document by someone else.
Prescribed sanction
Forgery is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) as a summary
conviction punishable by a fine of no more than $5000 or six
months of jail, or both.
Use, trafficking or possession of forged document
Relevant law
Criminal Code
Reference
http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 368. (1) criminalizes everyone who, knowing or believing
191
RAND Europe
relation to ID theft
National Profiles
that a document is forged,
(a) uses, deals with or acts on it as if it were genuine;
(b) causes or attempts to cause any person to use, deal with or act
on it as if it were genuine;
(c) transfers, sells or offers to sell it or makes it available, to any
person, knowing that or being reckless as to whether an offence
will be committed under paragraph (a) or (b); or
(d) possesses it with intent to commit an offence under any of
paragraphs (a) to (c).
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Instruments for copying credit card data or forging or falsifying credit cards
Relevant law
Criminal Code
Reference
Reference
See http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 342.01 criminalizes everyone who without lawful
relation to ID theft
justification makes, repairs, buys, sells, exports from Canada,
imports into Canada or possesses any instrument, device,
apparatus, material or thing that they know has been used or
know is adapted or intended for use
(a) in the copying of credit card data for use in the commission of
an offence under subsection 342(3); or
(b) in the forging or falsifying of credit cards.
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Theft, forgery, etc. of credit cards [the definition of credit cards includes also debit
cards]
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-2.html
Main provisions in Section 342. (1) covers the unauthorized collection, possession
and trafficking of credit (including debit) cards. Specifically it
192
RAND Europe
National Profiles
relation to ID theft
criminalizes everyone who: steals a credit card, forges or falsifies a
credit card, possesses, uses or traffics in a credit card or a forged
or falsified credit card, knowing that it was obtained, made or
altered, by the commission of an act that would be an offence in
Canada, or uses a credit card knowing that it has been revoked or
cancelled.
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Unauthorized use of credit card data
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 342(3) criminalizes everyone who, ‘fraudulently and
relation to ID theft
without colour of right, possesses, uses, traffics in or permits
another person to use credit card data, including personal
authentication information, whether or not the data is authentic,
that would enable a person to use a credit card or to obtain the
services that are provided by the issuer of a credit card to credit
card holders.’
‘Personal authentication information’ is defined as a ‘personal
identification number or any other password or information a
credit card holder creates or adopts to be used to authenticate his
or her identity in relation to the credit card’
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Theft from mail
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 356(6) criminalizes everyone who, steals anything sent by
relation to ID theft
post, possesses anything that he knows was stolen while sent by
mail, or makes, possesses, or uses a copy of a key for a Canadian
Post mailbox or another key with the intent to commit a mailrelated offence, as well as the theft of such a key, or the
193
RAND Europe
National Profiles
fraudulently redirection of anything sent by post.
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Unauthorized
Unauthorized use of computer
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-2.html
Main provisions in Section 342.1(1) covers the unauthorized collection, possession
relation to ID theft
and trafficking of computer passwords. Specifically it criminalizes
everyone who ‘fraudulently and without colour of right:
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or
other device, intercepts or causes to be intercepted, directly or
indirectly, any function of a computer system,
(c) uses or causes to be used, directly or indirectly, a computer
system with intent to commit an offence under paragraph (a) or
(b) or an offence under section 430 [mischief] in relation to data
or a computer system, or
(d) uses, possesses, traffics in or permits another person to have
access to a computer password that would enable a person to
commit an offence under paragraph (a), (b) or (c)’
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 10 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Possession of device to obtain computer service
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-2.html
Main provisions in Provision 342.1(2) covers the creation, possession and trafficking
relation to ID theft
of devices to obtain computer services. Specifically, it criminalizes
everybody who, ‘without lawful justification or excuse, makes,
possesses, sells, offers for sale or distributes any instrument or
device or any component thereof, the design of which renders it
194
RAND Europe
National Profiles
primarily useful for committing an offence under section 342.1
[unauthorized use of computer], under circumstances that give
rise to a reasonable inference that the instrument, device or
component has been used or is or was intended to be used to
commit an offence contrary to that section’
Prescribed sanction
This is a hybrid offence for which the Criminal Code foresees
two alternatives, prosecution as a) an indictable offence with
imprisonment of no more than 2 years, or b) a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Fraud
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-2.html
Main provisions in Fraud in general is punished by Section 380(1) of the Criminal
relation to ID theft
Code. This provision sanctions any act of using deception to
appropriate someone else’s property, or to put that person at risk
of such a deprivation. This provision covers identity-related
crimes that have the purpose of gaining economic benefits, but
not such that are aiming at non-financial benefits (such as
evasion of police detection).
Prescribed sanction
Violations of section 380(1) is punished depending on the value
of the economic benefit obtained by the fraudulent act. If the
value is less than $5000, the law treats it as a hybrid offence and
foresees two alternatives, prosecution as a) an indictable offence
with imprisonment of no more than 2 years, or b) as a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both. If the economic benefit gained exceeded
$5000 the act is prosecuted as an indictable offence and the
punishment is imprisonment of no more than 14 years.
Drawing document without authority, etc.
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 374 criminalizes anybody who: ‘(a) with intent to
relation to ID theft
defraud and without lawful authority makes, executes, draws,
signs, accepts or endorses a document in the name or on the
account of another person by procuration or otherwise, or (b)
makes use of or utters a document knowing that it has been
made, executed, signed, accepted or endorsed with intent to
195
RAND Europe
National Profiles
defraud and without lawful authority, in the name or on the
account of another person, by procuration or otherwise’
Prescribed sanction
This offence is indictable and punishable with no more than 14
years of imprisonment.
False pretence of false statement
Relevant law
Criminal Code
Reference
See http://laws.justice.gc.ca/eng/C-46/page-6.html
Main provisions in Section 362 criminalizes mainly anybody who by a false pretence,
relation to ID theft
obtains anything in respect of which the offence of theft may be
committed, or obtains credit by a false pretence or by fraud.
Prescribed
Prescribed sanction
The general punishment if the value obtained exceeds $5000 is
imprisonment for not more than ten years (in this case the
offence is indictable). In the case where the value obtained is less
than $5000 the offence can be treated as indictable with
imprisonment for no more than two years, or as a summary
conviction punishable by a fine of no more than $5000 or six
months of jail or both.
Application in practice
Given the Act to amend the Criminal Code (identity theft and related misconduct) has
only come into force in the beginning of 2010, one will have to see how these new
provisions are going to be applied over time. In the sections below, we however, to the
extent possible examine how the wider set of regulations might be applied in practice.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely at least involve:
Identity theft (section 402) if another’s identity is used
knowingly, and with the intention of committing an
indictable offence (eg, 403).
Identity fraud (Section 403) if the offender takes on the false
identity with the intent to use this account to gain any
advantage (also of non-economic nature), or cause a
disadvantage to the person who’s name is used.
Fraud (section 380(1)) if the purpose of the deception is to
gain economic benefit.
196
RAND Europe
Case law available?
National Profiles
No new case law known
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username
username or
password to send emails
emails in his/her name)
Applicable law(s)
Such an incident would likely at least involve:
Unauthorized use of computer (section 342.1(1)) if the use, or
possession of computer passwords is involved.
Identity theft (section 402) if another’s identity is used
knowingly, and with the intention of committing an
indictable offence (eg, 403).
Identity fraud (Section 403) if the intent is to use this account
to gain any advantage (also of non-economic nature), or cause
a disadvantage to the person who’s name is used.
Fraud (section 380(1)) if the purpose of the deception is to
gain economic benefits.
Case law available?
No new case law known.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information,
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
Such an incident would likely at least involve:
Data privacy law as established in PIPIDA if the emails are
sent by an organization to an individual who did not consent
to receive that email.
Identity theft (section 402) if the offender obtains the identity
information with the intention of committing an indictable
offence (eg, 403).
Identity fraud (Section 403) if the offender claims in his email
to be another person with the intention to gain any advantage
(also of non-economic nature), or cause a disadvantage to the
person who’s name is used.
Unauthorized use of computer (section 342.1(1)) if the use, or
possession of computer passwords is involved (mere phishing
without using someone else’s password or obtaining other
peoples passwords is however not covered by this section).
Fraud (section 380(1)) if the purpose of the deception is to
gain economic benefit.
Trade-mark Act if the domain name of another company is
197
RAND Europe
National Profiles
claimed this might.
Case law available?
A case where an Ontario-based spammer used a ficticious
Amazon webpage was settled before defence filed [Amazon.com
Inc. v. 1505820 Ontario Inc., c.o.b. Natural Grains Deli and
Catering (Statement of Claim filed August 25, 2003 in Ontario
Superior Court of Justice)]
No new case law known.
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable
Applicable law(s)
Such an incident would likely involve:
Identity theft (section 402) if the obtained personal
information is intended to be used to commit an indictable
offence (eg, 403).
Identity fraud (Section 403) if the intent is to use the personal
information to gain any advantage (also of non-economic
nature), or cause a disadvantage to the person who’s name is
used.
Unauthorized use of computer (section 342.1(1)) as it covers
the unauthorized collection and possession of computer
passwords.
Possession of device to obtain computer services (section
342.1(2)) which covers the use of spyware and hacking tools.
Case law available?
No new case law known.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketeers)
Applicable law(s)
Such an incident would likely involve:
Identity theft (section 402) if the trafficker were reckless about
to whether the information will be used to commit an
indictable offence that includes fraud, deceit or falsehood.
If the database would not consist of email addresses but credit
card data (incl. personal authentication information) this
could also trigger Section 342(3) that criminalizes the
unauthorized use of credit card data.
If the database would contain computer passwords, section
341.1(1) unauthorized possession and trafficking of such.
198
RAND Europe
National Profiles
If the email addresses were collected by a company without
the consent of the respective individuals, and the company
intended to sell the database or use it for marketing purposes,
this is likely to violate PIPEDA, given under this act email
addresses are considered ‘personal information’.
Private rights of action can be found in numerous Canadian
statutes, ranging from provincial consumer protection laws
like (Ontario's Consumer Protection Act, 2002, S.O.2002,
c.30, ss.14-18)
Case law available?
With respect to the question of unsolicited email for marketing
purposes sent to email addresses obtained without the consent of
the individual, the Privacy Commissioner decided that in
accordance with (Section 2; Principles 4.3; paragraphs 7(1)(d)
and 7(2)(c.1); and Principles 4.1 and 4.1.3) the collection of
email addresses on public websites (eg, the employer’s homepage)
violates privacy protection rules. The company was asked to
change its business practices, and followed the request.116
No new case law known.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
This would likely at least allow for the application of the
following statutes:
Identity theft as the offender possesses another person’s
identity information with the intention to commit an offence
(Section 402 )
Identity fraud given the offender impersonates another person
to gain financial benefits (Section 403)
Forgery if the offender made or altered the document himself
(Section 366).
Use of a forged document as the offender will use the false
document as if it were genuine (Section 368(1))
Fraud (section 380(1)) given the purpose of the deception is
to gain economic benefit.
Drawing document without authority (section 374) if in the
process a document is signed with the name of another
person.
116
Case Summary #2005-297 available at http://www.priv.gc.ca/cf-dc/2005/297_050331_01_e.cfm
199
RAND Europe
National Profiles
If this act were to involve using a forged security card, or
someone else’s security card (in Canada this is the Social
Insurance Number SIN card), section 141(1) of the
Employment Insurance Act117 would also be relevant. This
provision makes it an offence to a) knowingly apply for more
than one SIN, b) use someone else's number to deceive and
defraud, c) loan or sell a SIN or a SIN card to deceive or
defraud, or d) manufacture a SIN card. The penalty is a fine
of up to $1,000, imprisonment for up to one year, or both.
Case law available?
No new case law known.
ID theft reporting mechanisms
Reporting site
There is no one-stop-shop mechanisms in place for reporting ID theft-related crimes in
Canada; rather there are several points of information on fraudulent activities in general
(including identity theft) and a few that specifically target identity theft. These usually
provide information on how to prevent identity theft, and what to do in case of becoming
a victim of identity theft and related crimes. When dealing with identity theft, these
websites regularly do not differentiate between online and offline. Some of these websites
have hotlines in place to get guidance on the phone, or complaint forms online to report
fraudulent activities and/or identity theft. These websites and hotlines are operated by a
range of different entities, including Canadian law enforcement agencies, ministries and
other governmental entities, as well as non-for profit organizations. However, none of
these hotlines/websites seems to coordinate the further process, rather they provide
guidance on the steps to be taken after having become a victim, and raise awareness by
providing information material to the public.
A selection of these available resources is provided in the following paragraphs.
Canadian Anti Fraud Center
(http://www.phonebusters.com/)
(formally
known
as
PhoneBusters)
Established in January of 1993, CAFC is jointly managed by the Royal Canadian
Mounted Police, the Ontario Provincial Police, and the Competition Bureau of Canada.
Besides educating the public on specific fraudulent schemes, it provides a call center for
victims of fraud (including ID theft) where they can receive guidance on what to do. It is
the central agency in Canada to collect information on identity theft complaints. While it
does not conduct any investigations, it makes information available to outside law
117
Employment Insurance Act, S.C. 1996, c. 23. Available at:
http://www.servicecanada.gc.ca/eng/ei/legislation/ei_act_jan2010_e.pdf
200
RAND Europe
National Profiles
enforcement agencies, and provides assistance to these. It collects statistics and makes tham
publicly available.
Reporting
Economic
Online
(https://www.recol.ca/intro.aspx?lang=en)
Crime
(RECOL)
RECOL is an initiative of international, federal and provincial law enforcement agencies,
regulators and private commercial organizations. It provides a complaint mechanism,
information material on how to prevent oneself from becoming a victim, as well as trends
and statistics on economic fraud. One of the subsections is dedicated to identity theft and
how to safeguard from becoming a victim.
Canada’s Office of Consumer Affairs (OCA) (http://www.ic.gc.ca/eic/site/ocabc.nsf/eng/h_ca02226.html )
OCA has a website on Privacy&Identity Protection that links up to the identity theft kit
for
consumers
developed
by
the
Consumer
Measures
Committee
(http://cmcweb.ca/eic/site/cmc-cmc.nsf/eng/fe00084.html), which had been created under
Chapter Eight of the Agreement on Internal Trade (AIT), and served as a federalprovincial-territorial forum for national cooperation to improve the marketplace for
Canadian consumers, through harmonization of laws, regulations and practices and
through actions to raise public awareness. The CMC had also developed an identity kit for
businesses. These kits combine information on how to find out if one has become a victim
of identity theft, how to reduce the risk of such an event, and what to do in case of identity
theft.
Public Safety
eng.aspx)
Canada
(http://www.publicsafety.gc.ca/prg/le/bs/consumers-
The Canadian Ministry of Public Safety has a special website on identity theft that
provides general information on this crime, and advice for consumers on how to prevent
becoming a victim of identity theft and what to do if they become victims.
Royal Canadian Mounted Police (RCMP) (http://www.rcmp-grc.gc.ca/scamsfraudes/id-theft-vol-eng.htm)
Within its Fraud and Scam website, the Royal Canadian Mounted Police has a subsection
on identity theft that provides a definition in accordance with the recently introduced law,
recommendations on how to prevent identity theft and on the steps to undertake if
becoming a victim of identity theft.
The Office of the
fi/02_05_d_10_e.cfm)
Privacy
Commissioner
(http://www.priv.gc.ca/fs-
The Office of the Privacy Commissioner provides a factsheet on identity theft on its
website that informs the public what they can do to fight identity theft and what actions to
take in case they become victims of identity theft.
Canadian
Council
of
(http://www.bbb.org/canada/)
Better
201
Business
Bureaus
(BBB)
RAND Europe
National Profiles
The BBB is a private, non-profit organization that aims to ‘monitor and report
marketplace activities to the public.’ It provides a fraud reporting website, and provides
information on market place fraud via its publications. BBB has no legal mandate but
according to its website, it ‘work closely with local, state, and federal law enforcement
agencies, providing them with valuable information on potentially fraudulent activities.’
Heads Up Fraud Prevention Association (http://www.heads-up.ca/)
Is a program integrated in the Alberta Police Service. Its aim is to develop and provide
fraud prevention information in relation to fraud-related activities both on and off the
Internet to the public. One of the key areas of its work is ID theft.
The
Canadian
Bankers
Association
(http://www.cba.ca/index.php?option=com_content&view=article&catid=42&id=
60&Itemid=55&lang=en)
The CBA also provides a website with information on the current identity theft regulation,
and recommendation on how to prevent identity.
Personal assessment of the framework for combating ID theft
In the light of the federal structure that provides in certain relevant areas for decentralized
layers of applicable regulation in addition to the federal level (eg, data privacy regulation),
it has to be cautioned that the assessment of the most important legislation on federal level
can of course not provide an exhaustive picture.
However, in particularly taking in account the most recent amendments of the criminal
code with respect to identity theft-related crimes, it seems that overall the legal framework
for combating ID theft incidents in Canada is quite comprehensive. How effective the new
provisions will be enforced remains however to be seen.
Some possibility for improvement seems to exist with respect to the online environment in
particularly when it comes to spam, that can foster phishing and other identity-related
crimes. A comprehensive act, proposed in 2009, aimed to address this issue by covering
regulation of the online environment with respect to spam and related threats (such as
identity theft, phishing, spyware, viruses, and botnets). This act that would have provided
an additional right of civil action, has however, not been enacted.
While there is a broad range of information available online on how to prevent identity
theft and what to do in case it happens, there is no one-stop shop point for reporting.
Victims still have to report to the local law enforcement office, and contact several
administrative agencies in to remedy the ID theft.
202
RAND Europe
National Profiles
China
Applicable laws
Laws focusing explicitly on ID theft
There is no legislation in China that focuses explicitly on ID theft as a specific crime, or
that defines such a crime. In practice, ID theft incidents are combated using the relevant
provisions in a variety of laws (in relation to privacy protection, fraud, forgery of authority
documents, etc.).
No such legislation is currently under consideration to our knowledge, despite a couple of
high-profile ID theft cases that have been tried by the courts under the relevant legal
provisions.
Other laws that may apply to ID theft incidents
Tort Liability Laws applied to privacy breaches (侵权责任法
权责任法)
任法)
Relevant law
Law of 26 December 2006 formally recognizes privacy as a
category of civil right in China.
Reference
See http://www.law-lib.com/law/law_view.asp?id=305260
Main provisions in Article 2 provides that tortuous liability arises upon the
relation to ID theft
infringement of ‘civil rights and interests,’ an extremely broad
category that includes personal and property rights and interests
such as the right to life, the right to health, rights associated with
names, reputation rights, honorary rights, the right to one's
image, the right to privacy, the right to marital autonomy, the
right to guardianship, ownership rights, usufruct, collateral
rights, copyrights, patent rights, exclusive rights to use
trademarks, discovery rights, equity rights and inheritance rights.
The provision for the first time expressly stipulates that there is a
‘right of privacy’ in China, but there is no further elaboration of
precisely what this right consists of.
Prescribed sanction
As a general principle, a person will incur liability where he
infringes upon another person's civil rights and interests and is at
fault. The Law establishes the principal remedies that may be
used, either independently or jointly, against an individual who
commits a tort. Possible remedies include:
* Requiring an individual or company to cease infringement
(of civil rights);
* Eliminating the risk caused by a person's tortuous conduct;
203
RAND Europe
National Profiles
* Removing the obstacle to the exercise of rights created by
such conduct;
* Returning property to the victim of a tort;
* Restoring the state of affairs to what it was prior to
commission of the tort;
* Compensating the victim of the tort for damages suffered;
* Making an apology;
* Eliminating adverse effects; and/or
* Restoring the injured party's reputation.
Measures for the Administration of Protecting the Security of International
Connections
to
Computer
Information
Networks
(计算机信息系统国际联
算机信息系统国际联网安全保
统国际联网安全保护
网安全保护管理规
管理规定)
Relevant law
Measures enacted on 17 December 1997
Reference
http://www.law-lib.com/law/law_view.asp?id=13628
Main provisions in Article 7 provides that the communication freedom and privacy
relation to ID theft
of network users is protected by law. No unit or individual may,
in violation of these regulations, use the Internet to violate the
communication freedom and privacy of network users.
Prescribed sanction
Violations are subject to administrative punishments stipulated
by the relevant law.
Measures for Administration of Email Service on the Internet
(互联网电子邮件服务管理办法)
Relevant law
Measures enacted on 20 February 2006.
Reference
http://www.law-lib.com/law/law_view.asp?id=143610
Main provisions in Article 3 provides that citizens’ privacy of correspondence in
relation to ID theft
using Internet email services shall be protected by law. Unless the
public security organ or prosecutorial organ makes an inspection
on the contents of correspondence pursuant to the procedures
prescribed by law and for the purpose of protection of national
security or investigation of crimes, no organization or individual
shall infringe upon any citizen’s privacy of correspondence on
any pretext. Article 9 & 12 prohibits to use, sell, share, or
exchange via the Internet email addresses of others obtained
through online automatic collection, arbitrary alphabetical or
digital combination or to send emails to the addresses obtained
through the foregoing means.
204
RAND Europe
Prescribed sanction
National Profiles
Violations are subject to fees up to RMB Yuan 10,000, or RMB
Yuan 30,000 if illegal gains were acquired.
Law for the Protection of Minors
Minors (未成年人保护
未成年人保护法)
Relevant law
Law of 4 September 1991 , revised on 29 December 2006,
protects the privacy of minors.
Reference
See http://www.law-lib.com/law/law_view.asp?id=184008
Main provisions in Article 39 of the Law forbids infringement against the privacy of
relation to ID theft
minors. Except for criminal investigations or supervision by
guardians, no minors’ mails, diaries or emails shall be opened and
read.
Article 58 provides that with regard to cases involving crimes
committed by minors, the names, home addresses and photos of
such minors as well as other information which can be used to
deduce who they are, may not be disclosed before the judgment
in news reports, films, television programs and in any other
openly circulated publications.
Prescribed
Prescribed sanction
Acts infringing the privacy of minors, in serious circumstances,
are subject to administrative punishment by police.
Law on the Identity Card of Residents (居民身份
居民身份证法)
Relevant law
Law of 28 June 2003 protects the citizens’ privacy on Identity
Cards.
Reference
See http://www.law-lib.com/law/law_view.asp?id=78264
Main provisions in Articles 15 & 19 of this Act provide that no organization or
relation to ID theft
individual has the right to check or retain a citizen’s identity card
except for the police, who are required to keep confidential any
personal data obtained from the identity cards.
Article 17 & 18 forbid forging or otherwise altering a residence
registration, or assuming another person’s registration.
Prescribed sanction
Police who disclose the citizens’ person information acquired
through making, distributing, checking or confiscating the
identity cards and damage the legitimate rights and interests of
the citizens shall be subject to administrative punishment, or
criminal penalties in serious circumstances.
Acts of forging or otherwise altering a residence registration, or
assuming another person’s registration are punishable by fines,
detainment or penalties if circumstances are serious.
205
RAND Europe
National Profiles
Regulations on the Publication of Governmental
Governmental Information (政府信息公开
政府信息公开条例)
条例
Relevant law
Regulations on the Publication of Governmental Information
were enacted on 5 April 2007.
Reference
See http://www.law-lib.com/law/law_view.asp?id=199898
Main provisions in Article 14 prohibits any administrative organ from publishing
relation to ID theft
certain governmental information that involves State secrets,
trade secrets or personal privacy.
Prescribed sanction
An administrative organization that violates the privacy
protection obligation is subject to administrative or criminal
punishment.
Criminal Law
Criminal punishment of Privacy Infringement
Relevant law
The law of 1 July 1979 criminalizes privacy invasion.
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
Main provisions in Article 253bis, which was amended into the Criminal Code on
relation to ID theft
February 28, 2009, imposes criminal liability on persons who
misappropriate personal information during the course of
performing their professional duties. Both private sector and
governmental agency personnel who misappropriate a citizen’s
personal data are subject to the penalty.
Prescribed sanction
Personnel of government agencies or in financial,
telecommunications, transportation, educational and medical
institutions who sell or illegally provide to others a citizen’s
personal information acquired in course of performance of the
duty or provision of services, in the serious circumstances, are to
be sentenced to imprisonment for less than three years,
imposition of a fine (as a single penalty or concurrently with
other penalties), or detention. An enterprise or a supervisor in an
enterprise (‘management personnel with direct responsibility’)
shall be liable for such misappropriations that are conducted by
the enterprise.
Fraud
Relevant
Relevant law
Criminal Code
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
206
RAND Europe
National Profiles
Main provisions in Article 266 sanctions fraud crimes.
relation to ID theft
Articles 192-200 punish the crime of financial fraud. This section
sanctions any act of using deception to appropriate someone
else’s property (including fraudulent loans, credit card debits or
insurance claims).
Prescribed sanction
Punishments provided by the law are fixed term or life-long
imprisonment, fines and/or confiscation of illegal property.
Crimes under Article 192, 194 and 195 in extremely serious
circumstances may be subject to death penalty.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
Main provisions in Article 280 punishes the crimes of forging, altering or selling
relation to ID theft
governmental documents, certificates or seals, forging the seals of
enterprises or other entities, or forging or altering citizens’
identity cards.
Prescribed sanction
Punishment provided by the law is imprisonment up to 10 years.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
Main provisions in Article 285 punishes the acts of illegally hacking into computer
relation to ID theft
system, providing illegal tools specifically used for hacking or
knowingly providing programs or tools for hacking.
Prescribed sanction
Punishment provided by the law is imprisonment up to 7 years
and/or fines.
Cybercrime – illegal data interference
Relevant law
Criminal Code
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
Main provisions in Article 285 punishes the acts of illegally controlling computer
relation to ID theft
systems or obtaining the data stored, processed or communicated
in the computer systems, providing illegal tools specifically used
for controlling computer systems or knowingly providing
programs or tools for such purposes.
207
RAND Europe
National Profiles
Article 286 punishes the acts of illegal deleting, altering, adding
to or interfering with the functioning of computer systems to
cause malfunctions, the acts of illegal deleting, altering or adding
data stored, processed or communicated in the computer system
to cause serious consequences, and the act of intentionally
producing and spreading computer viruses and/or other
disruptive programs to affect the normal functioning of a
computer system and cause serious consequence.
Prescribed sanction
Punishment provided by the law is imprisonment up to 5 years.
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
Main provisions in No specific provision but may be analogous to Article 285.
relation to ID theft
Prescribed sanction
Analogous to the punishment provided by Article 285.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code
Reference
See http://www.dffy.com/wz/zhaishow.asp?id=8064
Main provisions in Article 287 provides that financial fraud committed via a
relation to ID theft
computer shall be sanctioned according relevant stipulations
(Articles 192-200) of the law.
Prescribed sanction
Punishments provided by the law are fixed term or life-long
imprisonment, fines and/or confiscation of illegal property.
Crimes under Article 192, 194 and 195 in extremely serious
circumstances may be subject to death penalty.
Application in practice
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
This involves:
208
RAND Europe
Case law available?
National Profiles
•
Criminal Law: crimes of illegally controlling computer
system;
•
Tort Liability Law: violation of a citizen’s right
associated with names, reputation rights and right to
privacy;
•
Measures for the Administration of Protecting the
Security of International Connections to Computer
Information Networks: violation of communication
freedom and netizen’s privacy.
There have been many disputes but no case law has been made
public so far.
Unlawfully using another person’s credentials (eg,
(eg, using someone
someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Case law available?
This involves:
•
Criminal Law: crimes of fraud, forgery and illegally
controlling computer system;
•
Tort Liability Law: violation of a citizen’s right
associated with names, reputation rights and right to
privacy;
•
Measures for the Administration of Protecting the
Security of International Connections to Computer
Information Networks: violation of communication
freedom and Internet users’ privacy.
•
Measures for Administration of Email Service on
Internet was issued by Ministry of Information Industry:
violation of citizens’ privacy of correspondence in using
Internet email services.
There have been a number of offline cases involving ID theft. In
October 2009, Shaoyang Beita District People’s Court made a
decision on identity theft crime. In 2004, Wang Zhengrong paid
RMB Yuan 50,000 (USD $10,680) to secure a swap of the
identities and college-entrance examination information of her
daughter and Luo Caixia to enable her daughter to be admitted
by a university. Luo discovered that her identity was stolen when
she tried to open a bank account, but was told that her identity
was already in use. Nor could she find a job because the
graduation and professional certificates she had been working
towards could not be issued as they had already been issued to
Wang’s daughter using her name. Eventually Wang Zhengrong
209
RAND Europe
National Profiles
was prosecuted and detained on charges of forging official
documents, certificates and seals. Wang was sentenced to a fouryear fix-term imprisonment. The university degree obtained by
Wang’s daughter through identity theft was revoked. But Luo
Caixia found that resuming her true identity would take longer
than expected because she was still turned down by both banks
and on the job market. Although she sought civil remedies by
suing Wang Zhengrong and others for infringing her right of
name and education, it does not seem that she will obtain any
compensation from the prolonged proceeding in the near future.
Luo Caixia is by no means the only victim. In August 2001,
Shandong High People’s Court ruled for Qi Yuling whose
constitutional right of receiving education was infringed by the
defendant’s action of identity theft of college-entrance
examination information. The decision was affirmed by the
Supreme People’s Court in an official reply to Shandong High
People’s Court. Unfortunately, the official reply was repelled by
the Supreme People’s Court in a decision effective from
December 24, 2008, which leaves uncertainty in handling ID
theft cases.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
Case law available?
This involves:
•
Criminal Law: crimes of fraud, forgery and illegally
controlling computer system;
•
Tort Liability Law: violation of a citizen’s right
associated with names, reputation rights and right to
privacy;
•
Measures for the Administration of Protecting the
Security of International Connections to Computer
Information Networks: violation of communication
freedom and Internet users’ privacy.
•
Measures for Administration of Email Service on
Internet: violation of citizens’ privacy of correspondence
in using Internet email services.
In May 2009, the police station of Shanghai Baoshang District
investigated a phishing website that had been trapping users to
input their usernames and passwords of Taobao, an online
210
RAND Europe
National Profiles
transaction platform, in a fake system to steal the money in the
users’ transaction accounts. In two months, the phishing website
stole more than RMB Yuan 10,000. In June 2009, four phishing
website operators were arrested. In January 2010, they were
sentence by Shanghai Baoshang District People’s Court to
imprisonment for the crime of fraud.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
This involves:
Criminal Law: crimes of forging, altering or selling governmental
documents, certificates or seals, or forging or altering citizens’
identity cards.
Case law available?
There have been disputes that people submitted falsified ID
documents to apply for governmentally subsidized housing
benefits. But no case law has been made publicly available.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketeers)
Applicable law(s)
This involves:
Criminal Law: crimes of fraud and selling or illegally providing
to others a citizen’s personal information acquired in course of
performance of the duty or provision of services
Case law available?
In 2009, Zhou illegally purchased a detailed log of telephone
calls made by high-ranking local government officials, then sold
it to fraudsters who used it to impersonate the officials over the
telephone. The fraudsters convinced friends or relatives of the
officials that the officials needed money for an emergency
situation, and then they induced them to transfer money to a
bank account controlled by the fraudsters. While the fraudsters
were prosecuted for swindling, Zhou was convicted by Zhouhai
Xiangzhou District People’s Court for the crime of illegally
obtaining a citizen’s personal information. Zhou was sentenced
to 18 months in imprisonment and a fine of RMB Yuan 2,000.
The case showed that not only selling or illegally providing
citizen’s individual information to other persons by working
personnel of particular organizations but the illegal obtaining of
such information by way of theft or other means, where the
circumstances of the case are serious, is subject to penalty.
211
RAND Europe
National Profiles
No other notable case law has been identified.
ID theft reporting mechanisms
In China, no governmental reporting mechanisms are dedicated exclusively to identity
theft. Cybercrime or other forms of fraud may be reported to the police, in the same way
as any other type of crime.
To facilitate online ID crime incidents, any Internet infrastructure operators, access
providers and users shall accept the Police’s security supervision, inspection and guidance,
and they will truthfully provide the information, materials or data on security protection,
and assist the police to investigate such cybercrime.
Some non-governmental reporting mechanisms have been established in some regions.
They are however not operated by law-enforcement agencies and have only an
informational function or provide a technical solution.
Supplementing these, the Anti-phishing Alliance was established by a number of domain
name registries, registrars, banks, e-commerce websites and security technology companies.
The Chinese Internet Network Information Center (CNNIC), which is the Chinese
country-code top-level domain registry, is the secretariat and responsible for receiving
reports of specific incidents related to phishing. A website, once reported and recognized
for phishing, will be stopped via a resolution by the member registrar of the Alliance.
URL: http://www.cnic.cas.cn/zcfw/cnnic/fwgf/fdlm/200909/t20090928_2528998.html
Finally, the Internet Society of China is maintaining an Illegal and Inappropriate
Information Reporting Center. People may report phishing or other illegal websites to the
Center. The Center will then forward the received reports to the competent authorities,
such as the police.
URL:
http://jubao.china.cn:8088/reportinputcommon.do
Personal assessment of the framework for combating ID theft
China has no specific anti-ID theft law, nor is there any specific legal stipulation on ID
theft. The legal sources are relatively sporadic (ie, with little coordination) and
complicated.
With respect to the criminal punishments, ID theft can be criminalized as fraud, forgery,
hacking or computer system interference, etc. depending on the circumstances of the cases.
With respect to the administrative punishments, there are a number of laws or regulations
addressing the issue from different perspective, such as computer security, privacy and
212
RAND Europe
National Profiles
personal data, confidence and communication, etc. The legally complex situation
frequently puzzles the enforcement agencies. Civil liability is generally weak and poorly
enforced. Most ID theft victims don’t receive any monetary compensation and experience
tremendous difficulty in resuming their own ID.
There is no centralized ID theft reporting and protection mechanism provided by any law
or operated by any governmental agency. ID theft cases are primarily handled by police
and have to undergo the regular lengthy procedure of investigation and prosecution, which
cannot provide timely legal remedies to the victims.
In the long run, China needs to seriously address the ID theft issues, which is becoming
ubiquitous, through setting up a comprehensive and coherent legal system and effective
enforcement mechanism.
213
RAND Europe
National Profiles
Cyprus
Applicable laws
Laws focusing explicitly on ID theft
Even though there is no specialised legislation applicable in Cyprus concentrating solely on
identity theft criminal issues, nevertheless, ID theft incidents may be combated using other
laws and regulations concerning cybercrime, personal data protection, criminal sanctions,
fraud, etc.
There is no publicly available information regarding the issue whether any new legislation
is envisaged to be adopted to cover ID theft crimes. Instead, the policy emphasis in
Cyprus, especially from the part of the Cyprus Police is more on improving awareness of
ID theft risks with potential victims.
Other laws that may apply to ID theft incidents
Data protection laws
Relevan
t law
The Processing of Personal Data (Protection of Individuals) Law of 2001, Law
138 (I) 2001 adopted on 23.11.2001 as amended on 2.5.2003 by amending
Law No. 37(Ι)/2003 (O Περί Επεξεργασίας ∆εδοµένων Προσωπικού
Χαρακτήρα (Προστασία του Ατόµου) Νόµος
Referen
ce
http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/index_en/i
ndex_en?opendocument
Main
provisi
ons in
relation
to ID
theft
The Law transposes the Data Protection Directive 95/46/EC. ID theft incidents
will typically constitute unlawful processing, as it will violate the conditions for
lawful processing of personal data (section 4) which include an obligation for
the fair and lawful processing of data, the obligation to collect personal data for
specified, explicit and legitimate purposes and that said data are not further
processed in a way incompatible with those purposes. Under the law personal
data may be processed only if the data subject has unambiguously given his
consent (section 5). There is also an obligation for confidentiality and security
of processing (section 10): the data controller must take the appropriate
organizational and technical measures for the security of data and their
protection against accidental or unlawful destruction, accidental loss, alteration,
unauthorised dissemination or access and any other form of unlawful
processing. Such measures shall ensure a level of security which is appropriate to
the risks involved in the processing and the nature of the data processed. The
Law also grants certain rights to data subjects such as the right of information
(section 11), right of access to inaccurate data or unlawful processing and right
214
RAND Europe
National Profiles
of rectification, erasure or blocking of the data, the processing of which has not
been performed in accordance with the provisions of this Law (section 12) and
the right to object (section 13). Finally there are certain formal obligations such
as the prior notification to the Cypriot Commissioner for the Protection of
Personal Data (section 21).
Prescri
bed
sanctio
n
According to section 17, the data controller shall compensate a data subject
who has suffered damage by reason of violation of any provision of this Law,
unless he proves that he is not responsible for the event that caused the damage.
The data subject also has a right of temporary judicial protection (section 16).
Section 25 of the Law also provides for administrative sanctions namely (a) a
warning with a specific time-limit for termination of the contravention; (b) a
fine of up to EUR 9000; (c) temporary revocation of a license; (d) permanent
revocation of a license; and (e) the destruction of a filing system or the cessation
of processing and the destruction of the relevant data. Finally, the Law provides
for certain offences and penalties under section 26 which may be sanctioned by
imprisonment for a term not exceeding five years or by a fine not exceeding
EUR 9000 or both.
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant
law
Law Regulating Electronic Communications and Postal Services of 2004,
Ν.112(Ι)/04 as amended adopted on 30 April 2004 (Ο Περί Ρυθµίσεως
Ηλεκτρονικών Επικοινωνιών και Ταχυδροµικών Υπηρεσιών Νόµος Του
2004, Ν112(Ι)/2004)
Reference
See
http://www.ocecpr.org.cy/nqcontent.cfm?a_id=2166&tt=ocecpr&lang=gr
Main
provisions
Pursuant to Section 98 of the Law, providers of publicly available electronic
in relation
communications networks and/or services must take all appropriate technical
to
ID
and organisational measures to safeguard the security of their networks and
theft
services, to such an extent that is appropriate to the level of the risk
presented, having regard to the cost of implementation of such security
systems and the state of the art of technical capabilities. In case of a particular
risk of a breach of the security of the network, providers must inform their
subscribers concerning such risk and of any possible remedies for its
avoidance, including an indication of the likely costs involved.
An obligation to take appropriate technical and organisational measures is
also imposed by Section 99 of the Law, which provides that publicly
available electronic communications networks and/or services as well as their
employees, must take all such measures to safeguard the confidentiality of
each communication and related traffic data carried out by means of a public
215
RAND Europe
National Profiles
communications network and publicly available electronic communications
services. In this respect, no person, other than users communicating between
themselves from time to time, is allowed to listen into, tap, store, intercept
and/or undertake any other form of surveillance of communications without
the consent of the users concerned, except where this is provided for by Law
and where there is an authorisation by the Court.
Section 149 (6) of this Law prohibits the following acts:
•
sending by means of a public communications network, a message
and/or other matter that is grossly offensive and/or of an indecent,
obscene and/or menacing character
•
sending by means of a public communications network for the purpose
of causing annoyance, inconvenience and/or needless anxiety to another,
a message that he knows to be false and/or persistently making use for
that purpose of a public communications network
Section 149 (7) of this Law prohibits the use of any apparatus, for the
purpose of interfering with any other apparatus.
Section 149 (8) of this Law prohibits a person, who is an authorised
undertaking or is employed by an authorised undertaking or who is engaged
in any capacity by any authorised undertaking , if in contravention of his
duty-
Prescribed
sanction
•
prevents and/or obstructs the sending, conveying and/or delivery of any
message;
•
intentionally amends and/or interferes with the content of any message;
and/or
•
intentionally intercepts any message and/or intentionally discloses
and/or uses the content of any message, any information and/or
document that relates to the content of any message, and/or to the
public affairs and/or personal particulars of any person in.
Apart from damages that the victim may receive in civil proceedings:
•
Violations of section 149(6) can be criminally sanctioned with fines of
up to 1700 EUR.
•
Violations of section 149(7) can be criminally sanctioned with
imprisonment not exceeding 3 months or with fines not exceeding 1000
EUR, or with both such penalties
•
Violations of article 147(8) can be criminally sanctioned with
imprisonment not exceeding 6 months or fines not exceeding 1700
EUR
216
RAND Europe
National Profiles
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant
law
The Constitution
Reference
See www.leginet.eu
Main
provisions
in relation
relation
to ID theft
The Right of Privacy is safeguarded by Article 15.1 of the Constitution.
Article 15.1 is modelled on Article 8 of the European Convention of
Human Rights that proclaims a right to privacy as such. The Convention
has been ratified, together with its First Protocol, by the European
Convention on Human Rights (Ratification) Law of 1962
The right to secrecy of correspondence is safeguarded by Article 17 of the
Constitution which provides that ‘(1) Every person has the right to respect
for, and to the secrecy of, his correspondence and other communication if
such other communication is made through means not prohibited by law’;
and ‘(2) There shall be no interference with the exercise of this right except
in accordance with the law and only in cases of convicted and unconvicted
prisoners and business correspondence and communication of bankrupts
during the bankruptcy administration.
The notion of correspondence includes not only letters in paper form but
also other forms of communication in electronic form received at or
originated from the workplace, such as telephone calls made from or
received at business premises or emails received at or sent from the offices’
computers. On this basis electronic communication is also part of private
life.
Prescribed
sanction
Not applicable
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant
law
The Law for the Protection of Confidentiality of Private Communications
(Interception of Conversations) of 1996, Law No. 92(I)/1996 (Προστασίας
του Απόρρητου της Ιδιωτικής Επικοινωνίας (Παρακολούθηση
Συνδιαλέξεων) Νόµος του 1996 Ν. 92(I)/1996)
Reference
See www.leginet.eu
Main
According to the Law, a person will be guilty of an offence if he/she:
provisions
• Taps or intercepts or attempts to tap or intercept or causes or allows or
in relation
authorises any other person to tap or intercept any private
to ID theft
communication, on purpose.
•
Uses, attempts to use, instigate or causes or authorises another person
217
RAND Europe
National Profiles
to use or to attempt to use any electronic, mechanical, electromagnetic,
acoustic or other apparatus or machine for the purpose of tapping or
intercepting any private communication, on purpose.
Prescribed
sanction
•
Reveals or attempts to reveal to any another person the content of any
private communication, on purpose, while being aware or having
reason to believe that the information was received by bugging or
interception of private communication.
•
Uses or attempts to use, on purpose, the content of any private
communication, when being aware or having reason to believe that the
information was received by tapping or interception of a private
communication.
Violations of the Law can be criminally sanctioned with imprisonment up
to three years.
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant
law
The Banking Law of 1997, Law Νo. 66(I)/1997 as amended by Law No.
74(I)/1999, Law Νo. 94(I)/2000, Law Νo. 119(I)/2003, Law Νo. 4(I)/2004
and Law No. 151(I)/2004
Reference
See www.leginet.eu
Main
provisions
in relation
to ID theft
Section 29 of the Banking Law provides for the duty to banking secrecy. It
reads that no director, chief executive, manager, officer, employee and any
person who has by any means access to the records of a bank, with regard to
the account of any individual customer of that bank shall, while his
employment in or professional relationship with the bank, as the case may
be, continues or after the termination thereof, give, divulge, reveal or use for
his own benefit any information whatsoever regarding the account of that
customer.
These provisions also apply to any branch of an electronic money institution
licensed in another member state or to any electronic money institution
licensed in another member state which provides cross border services.
Prescribed
sanction
A violation of the obligation of banking secrecy obligation is an offence
punishable with imprisonment up to two years or with a fine up to EUR
85,000 or with both and in case of a continuing offence by a further fine up
to EUR 1,700 for each day during which the offence continues
218
RAND Europe
National Profiles
Criminal Law
Fraud
Relevant law
Criminal Code, Cap. 154 (Ποινικός Κώδικας, Κεφ. 154)
Reference
See http://www.leginet.eu
Main provisions
in relation to ID
Fraud falls within the general framework of ‘false pretences’
theft
prescribed by section 297 et seq. of the Criminal Code. In general,
the Criminal Code forbids criminal offences that are related to false
pretences, including misrepresentation (s. 297), false impersonation
and securing goods and the execution of an act by misrepresentation
and false pretences (s. 298 and s. 299). Other offences include
subterfuge and conspiracy to commit false pretences (s. 302),
securing credit by false pretences (s. 301), fraud (s. 300), fraudulent
transactions in relation to property belonging to another person
(s.303), e.g by advertising and pretending to be the owner of said
property.
Where fraud is specifically concerned, the Criminal Code, section
300 prescribes that fraud is committed where any person who by
means of a fraudulent trick acquires from another person anything
which is the subject matter of theft or instigates another person to
give money or goods to a third person which is higher in value than
what that person would have paid if such trick had not been used.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings,
violations of the above sections can be criminally sanctioned with
imprisonment up to 5 years.
Criminal Law
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code, Cap. 154 (Ποινικός Κώδικας, Κεφ. 154)
Reference
See http://www.leginet.eu
Main provisions Forgery is punished by Part VIII of the Criminal Code. Section 333
in relation to ID of the Code is most relevant in that it prescribes that a criminal
offence is committed where, fraudulently:
theft
•
a person draws a document which is not real,
•
changes a document without authority in order to gain
219
RAND Europe
National Profiles
authority thereby,
Prescribed
sanction
•
changes a document inserting something therein which has the
result of changing the consequences of the use of such a
document
•
signs a document using someone else’s name and without that
person’s authorization or by using the name of a non-existing
person
Apart from damages that the victim may receive in a civil
proceedings, violations of the above sections can be criminally
sanctioned with imprisonment up to 3 years. However, if the forged
document is a will, title deed, insurance document, bank guarantee
and the like, imprisonment is up to 14 years.
C ybercrime - illegal access to information systems (hacking)
Relevant law
Law of 2004 Ratifying the Cybercrime Convention of 2001, Law
No. Law No. 22(III)/2004
Reference
See: www.leginet.eu
Main provisions
provisions Illegal access to information systems is punished by Section 4 of the
in relation to ID Law, according to which a person who intentionally and without
theft
right gains access to the whole or any part of a computer system by
infringing security measures commits an Within this framework, the
term ‘computer system’ is interpreted by the Law as any device or a
group of inter-connected or related devices, one or more of which,
pursuant to a program, performs the automatic processing of the
data.
System Interference is also relevant in this respect. By virtue of
Section 7 of the Law, a person who intentionally and without right
seriously hinders the functioning of a computer system by inputting,
transmitting, damaging, deleting, deteriorating, altering or
suppressing computer data commits an offence
Illegal Interception further relates to illegal access. In this respect,
pursuant to Section 5 of the Law, a person who intentionally
intercepts without right by technical means, computer data that is
not transmitted to the public from or within a computer system,
commits an offence.
Computer data is interpreted by Section 2 of the Law as any
220
RAND Europe
National Profiles
representation of facts, information or concepts in a form suitable for
processing in a computer system, including a program suitable to
cause a computer system to perform a function. With regard to illegal
interception in particular, computer data includes data stored or
emitted by electronic or magnetic or other means from a computer
system carrying such computer data
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings,
violations of Section 4, 5 and 7 of the Law, can be criminally
sanctioned with imprisonment between 2 and up to five years or with
a fine up to EUR 34,000 or with both such penalties.
Cybercrime – illegal data interference
Relevant law
Law of 2004 Ratifying the Cybercrime Convention of 2001, Law
No. Law No. 22(III)/2004
Reference
See: www.leginet.eu
Main provisions According to Section 6 of the Law, a person who intentionally and
in relation to ID without right damages, deletes, deteriorates, alters or suppresses
theft
computer data commits an offence.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings,
violations of Section 4, 5 and 7 of the Law, can be criminally
sanctioned with imprisonment between 2 and up to five years or with
a fine up to EUR 34,000 or with both such penalties.
Cybercrime – computercomputer-related forgery
Relevant law
Law of 2004 Ratifying the Cybercrime Convention of 2001, Law
No. Law No. 22(III)/2004
Reference
See: www.leginet.eu
Main provisions Computer-related forgery is punished by Section 9 of the Law, which
in relation to ID makes it an offence for a person to, intentionally and without right,
theft
input, alter, delete or suppress computer data, resulting in
inauthentic data with the intent that such data be considered or acted
upon for legal purposes as if they were authentic. This is regardless of
the fact that the data were directly readable and intelligible.
Where misuse of Devices is concerned, section 8 of the Law prohibits
the intentional production, sale, procurement for use, import,
distribution, without the requisite rights, or otherwise making
available of (i) A device, including a computer program, designed or adapted
primarily for the purpose of committing any of the offences
221
RAND Europe
National Profiles
established in accordance with Sections 4 to 7 of the Law;
(ii) A computer password, access code, or similar data by which the
whole or any part of a computer system is capable of being
accessed so that it be used for the purpose of committing any of
the offences established in Sections 4 to 7 of the Law.
Furthermore, this Section prohibits the intentional and without right
possession of any of the aforementioned items for the purpose of
using the same in order to commit any of the offences established in
Sections 4 to 7 of the Law.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings,
violations of Section 8 and 9 of the Law can be criminally sanctioned
with imprisonment between 2 and up to five years or with a fine up
to EUR 34,000 or with both such penalties.
Cybercrime – computercomputer-related fraud
Relevant law
Law of 2004 Ratifying the Cybercrime Convention of 2001, Law
No. Law No. 22(III)/2004
Reference
See: www.leginet.eu
Main provisions Computer-related fraud is punished by Section 10 of the Law
in relation to ID according to which, a person who intentionally and without right,
theft
with fraudulent or dishonest intent, causes damage to the property of
another by inputting, altering, deleting or suppressing computer data
or by causing any interference with the functioning of a computer
system, and as a result procures, without right, an economic benefit
for oneself or for another, will commit an offence.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings,
violations of Section 10 of the Law can be criminally sanctioned with
imprisonment between 2 and up to five years or with a fine up to
EUR 34,000 or with both such penalties.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking
net working site
such as Facebook under someone else’s name)
Applicable
law(s)
Such an incident would likely involve:
•
Violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
photo, etc.);
222
RAND Europe
Case
available?
National Profiles
•
Violation of communication confidentiality laws, if the false
profile results in messages being sent to the false profile which
were intended for the real recipient and where communication
between the 2 users is not authorised;
•
Forgery and/or computer-related forgery, if the forgery changed
the legal impact of the information or where something was
achieved without by false pretences;
•
Fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property or money or some other
benefit.
•
Violation of other laws relating to child pornography,
prostitution and sexual offences in general in the event that false
IDs are used by sexual predators to attract their victims.
•
Illegal access to information systems, if the credentials were used
to access a system without authorisation
law Not known. It should be noted that there is no readily available
information about case-law at first instance level because in Cyprus
only cases at appeal level are being recorded. Therefore, there may have
been cases judged on this matter.
There is currently a pending case regarding a Facebook incident but it
does not concern false identity. According to a newspaper article, a 38year-old National Guardsman was remanded in custody in connection
with the rape, corruption and sexual exploitation of a young girl whom
he befriended on the social networking site. This was the first known
incident in Cyprus where an alleged suspect had used the Internet to
arrange a meeting with a minor and then sexually abuse them.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable
law(s)
Such an incident would likely involve:
•
Violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
photo, etc.);
•
Violation of communication confidentiality laws, if the false
profile results in messages being sent to the false profile which
were intended for the real recipient and where communication
between the 2 users is not authorised;
•
Forgery and/or computer-related forgery, if the forgery changed
the legal impact of the information or where something was
223
RAND Europe
National Profiles
achieved without by false pretenses;
Case
available?
•
Fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property or money or some other
benefit.
•
Violation of other laws relating to child pornography,
prostitution and sexual offences in general in the event that false
IDs are used by sexual predators to attract their victims.
•
Illegal access to information systems, if the credentials were used
to access a system without authorisation
law Not known. It should be noted that there is no readily available
information about case-law at first instance level because in Cyprus
only cases at appeal level are being recorded.
Phishing (using emails
emails and/or falsified websites
websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
Case
available?
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
•
a violation of the data protection law, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
•
violation of communication confidentiality laws, if the
collection of the credentials can be qualified as unlawful access
to data related to electronic communication;
•
fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
•
illegal data interference, if the act of phishing involved
entering, changing or deleting information in an information
system without authorisation (eg, in order to falsify a website).
law No known case law. There have been many reported instances of
phishing in the banking industry.
Using spyware to obtain identity
identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely be:
•
a violation of the data protection laws, since the credentials are
224
RAND Europe
National Profiles
likely to be considered personal data which is being unlawfully
processed;
Case law
available?
•
violation of communication confidentiality laws, if the
collection of the credentials can be qualified as unlawful access
to data related to electronic communication;
•
illegal access to information systems, since installing the
spyware is likely a violation of access rights;
•
illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
No known case law.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases
of email addresses to email marketeers)
Applicable
Applicable
law(s)
Case
available?
The act of trafficking in unlawfully obtained information would
likely be:
•
a violation of the data protection laws, since the personal
information would be unlawfully processed;
•
a violation of communication confidentiality laws, if the
personal information contained data related to electronic
communication (like email addresses, IP addresses, etc.).
law In 2009 there were 40 complaints filed with the Office of the
Commissioner for the Protection of Personal Data regarding
unsolicited marketing against an email marketing company. A
fine of EUR 8000 was imposed. There were various other such
fines imposed over the years.
ID theft reporting mechanisms
SafenetCY reporting site
SafenetCY is the Cyprus Self Regulatory Body for Internet Content. It is the Hotline that
promotes the safe use of Internet in Cyprus. It serves the needs of all people that live on
the island and addresses not only issues of pornography, but also racism, gender
discrimination and inappropriate use of peoples’ images. It operates as a combined
Awareness Node and a Hotline under the name CyberEthics. The project engages actors
from the government and the civil society, thus contributing towards the eradication of
225
RAND Europe
National Profiles
cyber crime through informed actions of European citizens and public institutions that
aim to change behaviour, mentality and attitudes, giving special emphasis to rural and less
developed areas of the country.
SafenetCY accepts, processes, and forwards reports. Persons can report any content in the
Internet that they believe is illegal or even annoying. This includes the reporting of
websites, Newsgroups, FTP, emails and Chat rooms. In the case where content is hosted to
another country than Cyprus, SafeNetCY takes the appropriate action to inform the
specific country.
The specific Objectives of the Hotline are the following:
•
•
•
•
•
•
•
•
•
Operate an island-wide hotline for Internet users in Cyprus to report illegal and
harmful material and activities, so as to reduce the circulation of illegal content on
the Internet.
Inform users of the hotline’s scope of activity and how to contact it; Make clear to
users the difference between their activities and those of public authorities, and
inform them of the existence of alternative ways of reporting illegal content.
Deal rapidly with complaints received, in accordance with best practice guidelines
drawn up by the network and in cooperation with law enforcement authorities.
Exchange specific information on identified illegal content with other members in
the network.
Participate actively in networking nationally and at European level and contribute to
cross-border discussions and exchange of best practice.
Co-operate with the awareness node present in the country and Europe Direct.
Take an active part in events organized for safer Internet day at European, national
and local level.
Develop a structured method of concentration with the relevant actors (eg, Internet)
Industry association, major communication service providers, media regulators, legal
authorities) in cooperation with other safer Internet nodes in the country, if any.
Every report is recorded at SafeNetCY’s Database. From that point every procedure has to
be done no later than 24 hours from the time the report was made. The following steps are
made by SafeNetCY:
•
•
•
•
Verification: First, SafenetCY performs a typical verification of the reported content.
If, for example, the report complains about a website, SafenetCY verifies that the
address (URL) given exists and that its content is possibly illegal. If the report does
not reefers to illegal content according to Cyprus Law, then no further actions are
made with exception of the case the specific situation needs national attention (see 8.
below).
Tracing the source: Then, an attempt is made, using technical means, to trace the
country where the reported content originates.
Cyprus Police notification: SafenetCY forwards all reports, regardless of the
originating country of the reported content, to the Cyprus Police.
Ask help from child welfare: If the reporting source originates in Cyprus and the
form of the report could hurt an involved child then the child welfare will take the
appropriate actions to support the child.
226
RAND Europe
•
National Profiles
Foreign hotline notification: If the reported content originates from abroad, the
report is also forwarded to a hotline in the country of origin (if one exists). If the
contents originates from Cyprus this specific step is omitted.
The Police
Usually, victims of ID theft report an incident directly to the police by visiting a police
station of their area.
Personal assessment of the framework for combating ID theft
Due to the fact that the Republic of Cyprus has ratified the Cybercrime Convention and
has harmonised Cypriot legislation with the applicable acquis communautaire, Globally, it
can be said that the legal framework for combating ID theft incidents in Cyprus is
adequate. The establishment of the SafenetCY Hotline has also facilitated the
establishment of efficient reporting mechanisms.
Victims of ID theft may report any event either through the SafenetCy Hotline or appeal
directly to the Police. The SafenetCy Hotline is not promoted as a site for reporting
Internet crimes only by non-victims but to the contrary it is a forum for actively protecting
victims.
ID theft appears to take a high priority in investigations, especially in cases of clear and
significant harm to the victim. There are many reports in various public media such as
news sites regarding the Police’s efforts and work in fighting cybercrime and ID theft
especially where there are sexual offences against minors involved or theft.
Investigation of incidents in cross border cases is regular in collaboration with INTERPOL
and EUROPOL. There have been many instances where persons have been extradited to
their country of origin in order to be tried for cybercrime offences committed on an
international level.
227
RAND Europe
National Profiles
Czech Republic
Applicable laws
Laws focusing explicitly on ID theft
No legislation exists in the Czech Republic that focuses explicitly on ID theft as a specific
crime, or that defines such a crime. Introducing ID theft as a crime had been considered
during the preparation of the new Penal Code in 2009; however no such crime was
included when the Penal Code was adopted.
Other laws that may apply to ID theft incidents
Data protection
protection law
Relevant law
Act No. 101/2000 Coll., on the Protection of Personal Data and
on the Amendment of Certain Acts of April 4, 2000, as amended
(hereinafter ‘the Data Protection Act’) (Zákon č. 101/2000 Sb., o
ochraně osobních údajů a o změně některých zákonů)
Reference
http://www.uoou.cz/uoou.aspx?menu=4&submenu=5
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as they
will violate the legitimacy requirements (Section 5), the
proportionality obligations and the purpose restriction, the
transparency obligations (Sections 11, 12), the security
obligations (Section 13) and formal obligations such as the prior
notification to the Czech Office for Personal Data Protection
(Section 17).
Prescribed sanction
The violation of the Data Protection Act constitutes an
administrative tort, for which a fine up to CZK 5,000,000 may
be imposed (approximately EUR 200,000).
Civil law
Relevant law
Act No. 64/1964 Coll., the Civil Code, of February 26, 1964, as
amended (hereinafter ‘the Civil Code’) (Zákon č. 64/1964 Sb.,
občanský zákoník)
Reference
http://business.center.cz/business/pravo/zakony/obcanzak/
Main provisions in Section 11 Protection of personhood:
relation to ID theft
An individual has the right to protection of his or her
228
RAND Europe
National Profiles
personhood, in particular of his or her life and health, civic
honour and human dignity as well as of its privacy, name and
expressions of personal nature.
Prescribed sanction
Apart from the obligation to discontinue the infringement a
court may impose a sanction of monetary compensation of the
detriment suffered. The right to claim damages remains
unaffected by this sanction.
Communications secrecy laws
Relevant law
Act No. 127/2005 Coll., on Electronic Communications and on
the Amendment of Certain Related Acts (Zákon o elektronických
komunikacích a o změně některých zákonů)
Reference
http://www.rrtv.cz/en/static/laws/Electronic_Communications_
Act.pdf
Main provisions in Section 93 prohibits sending messages from an email address to
relation to ID theft
third parties without the consent of the holder of that email
address.
Prescribed sanction
To legal entities and self-employed individuals a fine up to 10
percent of the revenues gained during the preceding calendar
year, but not higher than CZK 5,000,000 (approximately EUR
200,000), may be imposed. To an individual a fine up to CZK
100,000 (approximately EUR 4,000) may be imposed.
Breach of Privacy of Transmitted or Mailed Messages
Relevant law
Act No. 40/2009 Coll., the Criminal Code (Zákon č. 40/2009
Sb., trestní zákoník), (hereinafter the ‘Criminal Code’)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in The breach of the privacy of transmitted or mailed messages is
relation to ID theft
sanctioned under Section 182 of the Criminal Code.
• Section 182 (1) sanctions the intentional breach of the
privacy of:
(a)
(b)
a closed (sealed) letter or another written
communication forwarded by post or any other
transmission;
a data, text, voice, sound or image message sent
via an electronic communication network and
addressed to an identified participant or user,
who is receiving the message; or
229
RAND Europe
National Profiles
(c)
•
Section 182 (2) sanctions the acquiring of an unlawful
benefit with the intention to harm a third party by way
of
(a)
(b)
•
breaching a secret, known from a letter, phone
call or from a transfer over an electronic
communication network involving such a
secret; or
using such a secret.
Section 182 (5) sanctions an employee of a postal or
telecommunication services or computer system or any
person performing communication activities, who
(a)
(b)
(c)
Prescribed sanction
a private computer data transfer in, out of or
within a computer system, including the
electromagnetic emission from the computer
system that transfers data.
commits the acts set out in Section 182 (1) and
182 (2);
intentionally enables another person to commit
the acts set out in Section 182 (1) and 182 (2); or
modifies or deletes documentation contained in a
certified mail or transferred by a transmission
facility or a message delivered by private
computer data transfer, phone or another similar
way.
Apart from damages that the victim may receive in civil
proceedings:
•
The violation of Section 182 (1) (a), (b) or (c) may be
criminally sanctioned with imprisonment for up to 2
years or with the prohibition of undertaking a (specific)
activity;
•
The violation of Section 182 (2) (a) or (b) may be
criminally sanctioned with imprisonment for up to 2
years or with the prohibition of undertaking a (specific)
activity;
•
The violation of Section 182 (5) (a), (b) or (c) may be
criminally sanctioned with imprisonment for between 1
and 5 years or with the prohibition of undertaking a
(specific) activity or with a penalty;
•
Certain circumstances, such as causing extensive damage
230
RAND Europe
National Profiles
in an amount exceeding CZK 5,000,000
(approximately EUR 200,000) or committing an act
under Section 182 as a public official, may further
increase the sanction that the court may impose.
Damaging Another Person's Rights
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in Damaging another person’s rights is sanctioned under Section
relation to ID theft
181 of the Criminal Code. This Section sanctions causing a
serious detriment to a third party rights by misleading such
third party or by exploiting its mistake.
The provisions of Section 181 protect other than property
rights.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violation of Section 181 may be criminally
sanctioned with imprisonment for up to 5 years or the
prohibition of undertaking a (specific) activity.
Fraud
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in Fraud in general is sanctioned under Section 209 of the Criminal
relation to ID theft
Code. This Section sanctions obtaining a benefit in an amount
exceeding CZK 5,000 (approximately EUR 200) for the offender
or for a third party to the detriment of another person's property
by misleading another person, or by taking advantage of another
person's mistake or by withholding substantial facts.
This would apply to any ID theft incidents involving the use of a
false identity. This would also apply to any ID theft incidents
involving the use of false identity information in an information
system (eg, changing the name of the holder of a bank account,
or performing banking transactions under someone else’s name).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violation of Section 209 may be criminally
sanctioned with imprisonment for up to 12 years, the prohibition
of undertaking a (specific) activity, and a penalty or the forfeiture
of a (specific) asset or other value.
231
RAND Europe
National Profiles
Forgery
Forg ery and altering a public document
document
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in Forgery or altering a public document is sanctioned under
relation to ID theft
Section 348 of the Criminal Code.
This Section sanctions (i) forgering an official document or
materially altering its contents with the intention to present such
document as genuine, (ii) presenting such document as genuine,
(iii) procuring such document for one’s own or a third party’s
benefit, (iv) producing, offering, selling, mediating, maintaining
accessible or possessing an instrument, equipment or its
component, device or any other instrument including computer
software created or adapted for the purpose of forgering or
altering an official document.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violation of Section 348 may be criminally
sanctioned with imprisonment for up to 10 years or the
prohibition of undertaking a (specific) activity.
Cybercrime – Unlawful access to a computer system or data carrier (‘Hacking’)
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in Unlawful access to a computer system or data carrier is
relation to ID theft sanctioned under Section 230 of the Criminal Code including in
particular:
•
Section 230 (1) sanctions passing over a security device
and unlawfully acquiring access to a computer system or
its part.
•
Section 230 (2) sanctions acquiring access to a computer
system or data carrier and
(a)
making unauthorized use of data stored in the
computer system or on the data carrier;
(b)
unlawfully deleting data stored in the computer
system or on the data carrier or in another way
destroying, damaging, changing, deleting,
lowering their quality or making them unusable;
(c)
falsifying or changing data stored in the
computer system or on the data carrier so that
the data are considered to be authentic or used as
232
RAND Europe
National Profiles
being authentic, no matter if such data are
directly legible or understandable; or
(d)
unlawfully inserting data to the computer system
or to the data carrier or intervening in a program
or technical equipment of a computer or another
technical facility used for data processing.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system or to misappropriate credentials from such a system and
to, for example, any ID theft incidents involving the use of false
identity information in an information system. This would also
apply to any ID theft incidents involving the falsifying of identity
information stored in an information system.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
The violation of Section 230 (1) may be criminally
sanctioned with imprisonment for up to 1 year, the
prohibition of undertaking a (specific) activity or the
forfeiture of a (specific) asset or other value.
•
The violation of Section 230 (2) (a), (b), (c) or (d) may
be criminally sanctioned with imprisonment for up to 2
years, the prohibition of undertaking a (specific) activity
or the forfeiture of a (specific) asset or other value.
•
Certain circumstances, such as causing damages or
acquiring a benefit in an amount exceeding CZK
500,000 (approximately EUR 20,000) may further
increase the sanction that the court may impose.
Cybercrime – Acquiring or obtaining access equipment or codes for computer
systems or other similar data
data
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in Acquiring or obtaining access equipment or codes for computer
relation
systems or other similar data is sanctioned under Section 231 of
relation to ID theft
the Criminal Code.
•
Section 231 (1) sanctions the breach of the privacy of
transmitted messages, unlawfully gaining access to a
computer system or data carrier, importing, exporting,
offering, mediating, selling or making otherwise
accessible or preserving
233
RAND Europe
Prescribed sanction
National Profiles
a)
equipment or its part, process, tool or any other
device, including a computer program, created or
adjusted for the purpose of unlawfully gaining
access to an electronic communication network,
computer system or its part; or
b)
a computer password, access code, data, process
or any other similar device by means of which it
is possible to gain access to a computer system or
its part.
Apart from damages that the victim may receive in civil
proceedings:
•
violations of Section 231 (1) (a) and (b) may be
criminally sanctioned with imprisonment for up to one
year, with the prohibition of undertaking a (specific)
activity or with the forfeiture of a (specific) asset or other
value.
•
Certain circumstances, such as acquiring an extensive
personal or third party benefit in an amount exceeding
CZK 500,000 (approximately EUR 20,000), may
further increase the sanction that the court may
impose.
Cybercrime – Damaging a record
record in a computer system
system or a data carrier and
interference with a computer feature
feature through negligence
negligence
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in Damaging a record in computer system or a data carrier and
relation to ID theft
interference with computer feature is sanctioned under Section
232 of the Criminal Code. This Section sanctions gross
negligence in violating the obligations arising from employment,
a profession, position or function or specified by law or by a
contract, by
a) destroying, damaging, changing or making not usable
data saved in a computer system or data carrier; or
b) interfering with technical or program equipment of a
computer or other technical system for data
processing
and as a result causing a damage in an amount
exceeding CZK 500,000 (approximately EUR 20,000).
This would apply to any ID theft incidents involving falsifying of
identity information stored in an information system by violating
234
RAND Europe
National Profiles
obligations arising from employment, a profession, position or
function or specified by law or from a contract.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
The violation of Section 232 (1) (a) or (b) may be
criminally sanctioned with imprisonment for up to 6
months, with the prohibition of undertaking a (specific)
activity or with the forfeiture of a (specific) asset or other
value.
•
Certain circumstances, such as causing an extensive
damage (exceeding CZK 5,000,000 (approximately EUR
200,000), may further increase the sanction that the
court may impose.
Infringement of copyright,
copyright, related rights and database rights
Relevant law
The Criminal Code (trestní zákoník)
Reference
http://business.center.cz/business/pravo/zakony/trestni-zakonik/
Main provisions in The infringement of copyright, related rights and data base rights
relation to ID theft
is sanctioned under Section 270 of the Criminal Code. This
Section sanctions illegally infringing lawfully protected rights
(covered by copyright) to an author's work, a performing artist's
performance, a sound or audiovisual recording, or a radio or
television broadcasting, or a database.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceeding, a violation of Section 270 of the Criminal Code may
be criminally sanctioned with imprisonment for up to 8 years,
with the prohibition of undertaking a (specific) activity or with
the forfeiture of a (specific) asset or other value.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- a violation of data protection law, since personal data of the
victim would likely be unlawfully processed to make the false
identity credible (eg, publication of the victim's name, address,
photo, etc.);
235
RAND Europe
National Profiles
- a violation of communication secrecy laws, if the false account
receives messages intended for a real recipient;
- a violation of the rights for protection of the personhood;
- fraud;
- unlawful access to a computer system or data carrier;
- acquiring or obtaining access equipment or codes for computer
systems or other similar data.
Case law available?
To our knowledge there is no relevant case law.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications defined in Chapter 1 could apply,
depending on how the credentials were used:
- a violation of the data protection law, since the credentials are
likely to be considered personal data which are being unlawfully
processed;
- fraud;
- gaining unlawful access to a computer system or data carrier;
- damaging another person’s rights; and
- acquiring or obtaining access equipment or codes for computer
systems or other similar data.
Case law available?
In 2008 an offender stole a passport of another person and acted
as this person during criminal proceedings concerning theft, in
which the offender was also found guilty under the other person’s
name. The offender was subsequently accused of a criminal
offence consisting in harming a third party’s rights. The criminal
proceedings are ongoing and a sanction has not been imposed
yet. The sanction may be imprisonment for up to two years.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the offender
would do with the stolen information) would most likely qualify
as:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
236
RAND Europe
National Profiles
processed;
- fraud; and
- gaining unlawful access to a computer system or data carrier.
Case law available?
There have been several cases involving phishing in relation to
which a criminal investigation has been initiated, but to our
knowledge no final judgements have thus far been issued in these
cases.
Using falsified identity documents (identity cards, social security cards or passports)
passports)
to unlawfully apply for social benefits
Applicable law(s)
Using falsified identity documents to unlawfully apply for social
benefits would most likely qualify as:
- forgery and altering a public document; and
- fraud.
Case law available?
To our knowledge there is no relevant case law.
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
The act of using spyware (independent from what the offender
would do with the stolen information) would likely qualify as:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which are being unlawfully
processed;
- unlawful access to a computer system or data carrier; and
- acquiring or obtaining access equipment or codes for computer
systems or other similar data.
Case law available?
To our knowledge there is no relevant case law.
Trafficking in unlawfully obtained personal information
information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely qualify as:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
237
RAND Europe
National Profiles
- unlawful use of personal data; may be committed only in
connection with the public administration.
Case law available?
To our knowledge there is no relevant case law.
ID theft reporting mechanisms
The Office for Personal Data Protection
The Office for Personal Data Protection is an independent body supervising the
observance of statutory requirements in the processing of personal data and deals with
complaints from citizens concerning alleged infringements of the relevant legislation.
The Office may impose sanctions (penalties) for breaches of the Data Protection Act
that constitute administrative torts.
Police of the Czech Republic
Where ID theft can be considered a violation of criminal law the incident is to be
reported to the Police in line with standard procedures. No special reporting
mechanism has been established.
Other sites
The following websites focus on safety on the Internet. The first one forms part of the EU
program ‘Safer Internet’, the second and third websites have been endorsed by the Czech
Police and Ministry of Education.
-
http://www.saferinternet.cz/o-projektu
-
http://www.emag.cz/komiks-bezpecny-internet/
-
http://www.internethotline.cz/co-a-jak-hlasit-co-nehlasit.htm
Personal assessment of the framework for combating ID theft
Globally, it can be concluded that the legal framework for combating ID theft incidents in
the Czech Republic is sufficiently comprehensive, as there do not appear to be any
examples of ID theft incidents that are not covered under the present legislation.
The Czech Republic has adopted a new law significantly changing the punishment of
cybercrime.
With its entry into effect on 1 January 2010, the new Criminal Code is includes a range of
provisions sanctioning cybercrime. The proposals for these provisions were based on the
238
RAND Europe
National Profiles
Cybercrime Convention approved by the Committee of Ministers of the European
Council in 2001 (the Convention), which the Czech Republic signed in 2005 (but which
has yet to be ratified by the Czech Republic).
Current regulations
Until the end of 2009, Section 257a of the former Criminal Code contained only one
provision which explicitly described and dealt with what could be referred to as
cybercrime. The subject matter of this Section was the protection of computer data stored
on a carrier of information against intentional unauthorised alteration, destruction or
unauthorised use, as well as the protection of computers (computer systems) from
unauthorised interference.
A number of new criminal offences have only been introduced as of 1 January 2010 by the
new Criminal Code. Until then, the activities covered by these offences were prosecuted as
other, more generally described, criminal offences. For these reasons the present total
number of prosecuted, accused and convicted offenders for cybercrime is relatively low,
however it may be assumed that these numbers will increase significantly over the next
years.
Another related issue is the lack of incentives to report ID theft. For example, the banks
and other financial institutions whose clients fell victim to ID theft are often reluctant to
report these crimes to the law enforcement authorities out of fear for reputational damage
and loss of credibility, and they prefer instead to compensate their clients for any financial
losses.
Legal consequences
The new Criminal Code takes into consideration recent developments in information
technology and the know-how of cybercriminals, heralding a significant change in the
prosecution of cybercrime in the Czech Republic.
239
RAND Europe
National Profiles
Denmark
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Denmark that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud, etc.).
No such legislation is currently under consideration according to available information.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Act no 429 of 31 May 2000 on processing of personal
information (persondataloven)
Reference
See https://www.retsinformation.dk/Forms/R0710.aspx?id=828
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as it will
violate legitimacy requirements, proportionality obligations and
the purpose restriction (article 5), transparency obligations
(article 28 and 29), security obligations (article 41) and formal
obligations such as the prior notification to the Danish Data
Protection Officer Privacy (article 48).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with fines or imprisonment for up to 4 months.
Communications secrecy
secrecy laws – existence and technical aspects of electronic
communication
Relevant law
Consolidation Act no 780 of 28 June 2007 on competition and
consumer relations within the tele communications market
(Lovbekendtgørelse om konkurrence- og forbrugerforhold på
telemarkedet)
Reference
See
https://www.retsinformation.dk/Forms/R0710.aspx?id=29326
Main provisions in Article 13 of the Act states that owners, providers of tele
relation to ID theft
communication networks and employers of the provider are not
240
RAND Europe
National Profiles
aloud unlawfully to pass on or exploit information about the
users’ use of the network. Furthermore the owners and providers
must take the necessary steps to ensure that the information is
not available to third parties.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings a violation of article 13 can be criminally sanctioned
with fines.
Communications secrecy laws – contents of electronic communication
Relevant law
The Criminal Code – Consolidation Act no 1034 of 29 October
2009 (Straffeloven)
Reference
See
https://www.retsinformation.dk/Forms/R0710.aspx?id=126465
Main provisions in Article 263 (1)(3) prohibits the use of a device to record or listen
relation to ID theft
in on private communications.
Article 263(2) prohibits to unlawful access third parties
information and computer programs to be used in an
information system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 263(1)(3): Fines or imprisonment
for up to 6 months.
•
Violations of article 263(2): Fines or imprisonment for
up to 1 year and 6 months.
•
Imprisonment for violations of either article 263(1)(3) or
263(2) may increase to 6 years if the information are
trade secrets or the violation in another way is considered
to be gross or for article 263(2) if the violation is
organised or systematic.
Criminal Law
Fraud
Relevant law
The Criminal Code – Consolidation Act no 1034 of 29 October 2009
(Straffeloven)
Reference
See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465
241
RAND Europe
National Profiles
Main
provisions in
relation
to
ID theft
Fraud in general is punished by Article 279 of the Criminal Code. This
article sanctions any act of using deception (including use of false names
or titles, or any other type of deceptive manipulation or abuse of good
faith or credulity) with a view of unlawfully appropriating someone else’s
money or property. This would apply to any ID theft incidents involving
the use of a falsified identity to appropriate money or property.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings,
violations of article 279 can be criminally sanctioned with fines and
imprisonment for up to 1 years and 6 months and in case of gross
violations for up to 6 years.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
The Criminal Code – Consolidation Act no 1034 of 29 October
2009 (Straffeloven)
Reference
See
https://www.retsinformation.dk/Forms/R0710.aspx?id=126465
Main provisions
provisions in Forgery is punished by Article 171. The clause covers both
relation to ID theft
electronic documents and paper documents in situations where
the document does not purport from the stated issuer or the
content of the original document has been changed.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings violations can be criminally sanctioned with
imprisonment with up to 1 year and 6 months and in case of
gross violations for up to 6 years.
Cybercrime - illegal access to information systems (hacking)
Relevant law
The Criminal Code – Consolidation Act no 1034 of 29 October 2009
(Straffeloven)
Reference
See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465
Main
Illegal access to information systems is prohibited by Article 263(2)
provisions in which prohibits unlawful access to third parties information and
relation
to computer programs to be used in an information system.
ID theft
Article 263 a prohibits unlawful distribution of codes and other means of
access protecting access to non-commercial information systems in the
following situations:
•
If the codes or other means are sold commercially or the
distribution is made to a larger group of people and informaton
242
RAND Europe
National Profiles
system is not public available
•
If a larger number of codes or other means is distributed
•
If the codes or other means protects access to systems of
importance to the society or to systems holding sensitive personal
data. In this situation obtaining the codes or other means is also
prohibited
Article 301 a prohibits unlawful distribution of codes and other means of
access protecting access to commercial information systems where users
have to pay to get access.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings
violations can be criminally sanctioned with imprisonment with up to 1
year and 6 months and in case of gross violations for up to 6 years.
Cybercrime – illegal data interference
Relevant law
Reference
No specific regulation on illegal data interference except for the
situation where the interefence is done with the purpose to
Main provisions in
commit fraud (se below)
relation to ID theft
Prescribed sanction
Cybercrime – computercomputer-related forgery
Relevant law
Reference
No specific regulation on computer-related forgery. The general
rule on forgery (Article 171 of the Criminal Code applies – see
Main provisions in
above)
relation to ID theft
Prescribed sanction
Cybercrime – computercomputer-related fraud
Relevant law
The Criminal Code – Consolidation Act no 1034 of 29 October 2009
(Straffeloven)
Reference
See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465
Main provisions Computer-related fraud is punished by Article 279 a of the Criminal
in relation to Code. Article 279 a prohibits anyone form unlawfully appropriate
ID theft
someone else’s money or property by changing, adding or deleting
information or computer programs meant for electronic data processing
243
RAND Europe
National Profiles
or otherwise unlawfully seek to affect the output of such data processing.
Prescribed
sanction
Apart from damages that the victim may receive in civil proceedings
violations can be criminally sanctioned with imprisonment with up to 1
year and 6 months and in case of gross violations for up to 6 years.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
photo, etc.);
- forgery if the forgery changed the legal impact of the
information;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate money or property.
Case law available?
No known case law
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if use of the
credentials can be qualified as unlawful access to data related to
electronic communication (eg, to make bank transfers);
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate money or property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation.
Case law available?
Several cases are known in relation to using a third party’s stolen
credit card, which is found to constitute fraud.
244
RAND Europe
National Profiles
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- fraud if falsified messages were sent to unlawfully appropriate
money or property.
Case law available?
No known case law.
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights.
Case law available?
In a case from 2000 decided by the Eastern High Court a person
was convicted for getting access to a third party’s computer and
passwords by using a hacker program. The hacker was sentenced
to imprisonment with suspended extension. The length of
imprisonment was not decided. The case is published in Ugeskrift
for Retsvæsen, 2000, p. 1450.
The result was the same in another case from 2002 published in
Ugeskrift for Retsvæsen, 2002, p. 1064.
245
RAND Europe
National Profiles
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
- a violation of the prohibition against distributing codes or other
means of access to information systems under Article 263 a of the
Criminal Code if the personal information contained such codes
or other means.
Case law available?
No known case law.
ID theft reporting mechanisms
The Danish banks all have a reporting mechanism when passwords for credit cards or
Internet bank systems have been compromised.
No general ID theft reporting mechanisms exist in Denmark.
The Danish IT and Telecom Agency has launched a website called ‘IT-citizen’ which also
provides information on security aspects, including ID theft, see http://www.itborger.dk/sikkerhed
Personal assessment of the framework for combating ID theft
It seems that the legal framework for combating ID theft incidents in Denmark is
sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents
which are not covered under present legislation. Some criticisms have been raised that
creating a false identity on-line would not be prohibited under Danish law. However it
must be expected that such actions would be covered by the Danish data protection act
and further by articles under the Criminal Code depending on how the false profile is
created and which information is received, cf. above.
It could be considered a weakness that no general contact point for reporting ID theft
exists. However at present this does not seem to have caused any public criticisms.
246
RAND Europe
National Profiles
Estonia
Applicable laws
Laws focusing explicitly on ID theft
The main provisions that regulate the ID theft in Estonia as a specific crime or that define
such a crime are written in the Estonian Penal Code. In Estonia criminal offences,
including identity theft, can only be regulated in the Penal Code. Under the Penal Code
identity theft has been criminalised since 15.03.2007.
The law enforcement authorities are also improving public awareness (for example through
their web pages) of ID theft risks.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Reference
Personal Data Protection Act (Isikuandmete kaitse seadus), entered
into force 1 January 2008.
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=12909389
as in force on 19 April 2010.
Main provisions in
relation to ID theft
The Data Protection Act provides that processing of personal
data is permitted only with the consent of the data subject unless
otherwise provided by law (§ 10). Also it enacts regulations of
disclosure of personal data (§ 11); processing of personal data
after death of data subject (§ 13); personal data protecting
requirements security measures/obligations (§ 24 and § 25); and
supervision (§ 32).
Generally the Personal Data Protection Act is in line with the
Data Protection Directive 95/46/EC.
Prescribed sanction
Violation of the obligation to register the processing of sensitive
personal data, violation of the requirements regarding security
measures to protect personal data or violation of other
requirements for the processing of personal data are punishable
by a fine of up to 18,000 EEK (approx. 1,150 EUR). The same
act, if committed by a legal person, is punishable by a fine of up
to 500,000 EEK (approx. 32,050 EUR).
Violation of the requirements regarding security measures to
protect personal data or violation of other requirements for the
processing of personal data prescribed in this Act, if a precept
247
RAND Europe
National Profiles
issued to the person by the Data Protection Inspectorate on the
basis of § 40 of this Act for the elimination of the violation is
not complied with, is punishable by a fine of up to to 18,000
EEK (approx. 1,150 EUR).
The same act, if committed by a legal person, is punishable by a
fine of up to 500,000 EEK (approx. 32,050 EUR).
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant law
The Constitution of the Republic of Estonia (Eesti Vabariigi
Põhiseadus), entered into force on 3 July 1992.
Electronic Communications Act (Elektroonilise side seadus),
entered into force on 1 January 2005.
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
The above sources are available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=12846827
https://www.riigiteataja.ee/ert/act.jsp?id=13247210
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in The general provision comes from the Constitution of the
relation to ID theft
Republic of Estonia. § 43 provides that everyone has the right to
confidentiality of messages sent or received by him by post,
telegraph, telephone or other commonly used means. Exceptions
may be made by court authorisation to prevent a criminal
offence, or to ascertain the truth in criminal proceeding, in cases
and pursuant to procedures provided by law.
The Electronic Communications Act makes the provider of the
electronic communications services responsible for maintenance
of security of the data, including personal data of the users.
§ 101 of the Electronic Communications Act provides that a
communications undertaking must guarantee the security of a
communications network and prevent third persons from
accessing the data specified in subsection 102 (1) of this section
without legal grounds.
If clear and present danger exists to the security of the
communications network, the communications undertaking shall
immediately inform the subscriber of such danger in a reasonable
manner and, if elimination of the danger by the undertaking is
impossible, the information shall cover also possible means to
248
RAND Europe
National Profiles
combat the threat and any costs related thereto.
§ 158 sanctions the violation of confidentiality of radiocommunications. It provides that obtaining and using, by third
persons not engaged in radio-communication, information by
means of radio transmission equipment concerning persons
engaged in radio-communication and messages transmitted by
them is punishable.
§ 187 sets forth that violation of the obligation to maintain the
confidentiality of information concerning a user which becomes
known in the process of provision of communications services is
punishable.
The Estonian Penal Code sanctions in § 156 the violation of
confidentiality of messages. It provides that the violation of the
confidentiality of a message communicated by a letter or other
means of communication is punished.
Prescribed
Prescribed sanction
Violations of § 158 can be punished by a fine of up to
18,000 EEK (approx. 1,150 EUR). The same act, if
committed by a legal person, is punishable by a fine of up to
50,000 EEK (approx 3,200 EUR).
Violations of § 187 can be punished by a fine of up to 12,000
EEK (766 EUR). The same act, if committed by a legal person, is
punishable by a fine of up to 30,000 EEK (approx 1,923 EUR).
Violation of § 156 of the Penal Code can be punished by a
pecuniary punishment. The same act if committed by a person
who has access to the message, due to performance of his or her
official duties, is punishable by a pecuniary punishment or with
imprisonment up to one year.
Criminal Law
Fraud
Relevant law
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in Fraud in general is punishable under § 209 of the Estonian Penal
relation to ID theft
Code. This article provides that a person who receives proprietary
benefits by knowingly causing a misconception of existing facts
shall be punished. This would apply to any ID theft incidents
249
RAND Europe
National Profiles
involving the use of a false identity to gain proprietary benefits.
Prescribed sanction
Violations of § 209 can be punished by a pecuniary punishment
or with imprisonment up to 3 years. The same act if committed
by a legal person is sanctioned with pecuniary punishment.
In case of a legal person, the court may impose a pecuniary
punishment of fifty thousand up to two hundred and fifty
million EEK (approx. 3,194-15,968,318 EUR) on the legal
person. A pecuniary punishment may be imposed on a legal
person also as a supplementary punishment together with
compulsory dissolution of the legal person itself.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
Reference
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in Forgery is punishable under § 344 and following of the Penal
relation to ID theft
Code, including:
•
§ 344: counterfeiting a document, seal or blank
document form on the basis of which it is possible to
obtain rights or release from obligations;
•
§ 345: use of a counterfeit document, seal or blank
document form with the intention to obtain rights or
release from obligations;
•
§ 346: destruction, damages to, theft or concealment of
an official document, seal or stamp;
•
§ 347: falsification of an important identity document;
•
§ 348: knowing use of or grant of permission to use a
falsified important identity document;
•
§ 349: a person who uses an important identity
document issued in the name of another person or grants
permission to another person to use an important
identity document issued in his or her own name, with
the intention to obtain rights or release from obligations;
•
§ 157(2) it regulates the illegal use of another persons
identity. Transmission of personal data which enables to
identify the person without his or her consent, to create
250
RAND Europe
National Profiles
access to the data and to make it available for use by
another person can be sanctioned.
Prescribed sanction
•
Violations of § 344 can be sanctioned with pecuniary
punishment or imprisonment up to one year. The same
act, if committed by a legal person, is punishable with a
pecuniary punishment.
•
Violations of § 345 can be sanctioned with pecuniary
punishment or imprisonment up to 3 years. The same
act, if committed by a legal person, is punishable with a
pecuniary punishment.
•
Violations of § 346 can be sanctioned with a fine or
detention. There is no regulation for legal persons.
•
Violations of § 347 can be sanctioned with pecuniary
punishment or imprisonment up to 5 years. The same
act, if committed by a legal person, is punishable with a
pecuniary punishment.
•
Violations of § 348 can be sanctioned with pecuniary
punishment or imprisonment up to 3 years. There is no
regulation for legal persons.
•
Violations of § 349 can be sanctioned with pecuniary
punishment or imprisonment up to 3 years. There is no
regulation for legal persons.
•
Violations § 157(2) can be sanctioned with pecuniary
punishment or imprisonment up to 3 years. There is no
regulation for legal persons.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in § 217 of the Penal Code provides that unlawful access to a
relation to ID theft
computer system by way of removal or circumvention of a code,
theft
password or other protective measure is punishable.
Prescribed sanction
Violations of § 217 can be sanctioned with pecuniary
punishment or imprisonment up to 3 years. If the same act is
committed by a legal person, it is sanctioned with pecuniary
251
RAND Europe
National Profiles
Cybercrime – illegal data interference
Relevant law
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in Illegal data interference is punishable under § 206 of the Penal
relation to ID theft
Code. (1) Illegal alteration, deletion, damaging or blocking of
data or programmes within computer systems, or illegal
uploading of data or programmes into computer systems is
punishable. (2) It is also punishable, when it is committed against
a computer system of a vital sector or if significant damage has
been caused.
Prescribed sanction
Violations of § 206 can be sanctioned respectively with (1)
pecuniary punishment or imprisonment up to three years; (2)
pecuniary punishment or imprisonment up to five years. If the
same act is committed by a legal person, then it is punished by a
pecuniary punishment.
punishment.
Cybercrime – computercomputer-related forgery
Relevant law
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in Computer-related forgery is punishable under § 216(1) of the
relation to ID theft
Estonian Penal Code. This § provides for that a person who, for
the purposes of committing the criminal offences provided in
sections 206, 207, 208, 213 or 217 of the Penal Code prepares,
possesses, disseminates or makes available in any other manner a
device, program, password, protective code or other data
necessary for accessing a computer system, or uses, disseminates
or makes available in any other manner the information necessary
for the commission of the criminal offences specified in this
section shall be punished.
Prescribed sanction
Violations of § 216(1) can be sanctioned with a pecuniary
punishment or imprisonment up to three years.
252
RAND Europe
National Profiles
If the same act is committed by a legal person, then it is punished
with a pecuniary punishment.
Cybercrime – computercomputer-related fraud
Relevant law
Penal Code (Karistusseadustik), entered into force on 1 September
2002.
Reference
Available electronically at
https://www.riigiteataja.ee/ert/act.jsp?id=13286633
as in force on 19 April 2010.
Main provisions in Illegal access to information system is punishable under § 213 of
relation to ID theft
the Penal Code. This article is regulating computer-related fraud
and provides for that a person who receives proprietary benefits
by unlawful entering, altering, deleting, damaging or blocking
computer programs or data or by doing other unlawful
interference with a data processing operation shall be punished.
Prescribed sanction
sanction
Violation of this article can be sanctioned with a pecuniary
punishment or imprisonment up to 5 years. The same act, if
committed by a legal person, is punishable with a pecuniary
punishment.
Application in practice
In this section below, we will examine if/how these regulations are applied in practice,
including of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable
Applicable law(s)
Such an incident would likely involve:
- violation of Data Protection Act. Consent of data subject is
needed when processing personal data;
- violation of communication secrecy laws, if the false profile
results in messages being sent to the false profile which were
intended for the real recipient and violation of confidentiality of
messages (Criminal Code 156);
-violation of the Criminal Code sanctions, under § 157(1),
unlawful processing of sensitive personal data and under § 157(2)
the illegal use of another person’s identity;
- forgery and/or computer-related forgery if the forgery changed
253
RAND Europe
National Profiles
the legal impact of the information;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property;
Case law available?
available?
No known case law.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the Data Protection Act, since the credentials are
likely to be considered personal data which are being unlawfully
processed;
- fraud and/or computer-related fraud if falsified messages were
sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation;
Case law available?
The Estonian Supreme Court (‘Riigikohus’) dealt with cases
where third party’s Bank Identifier Codes have been used to get
access to Internet Bank Account. The Supreme Court found this
to constitute computer-related fraud.
Estonian
version
of
the
decision:
http://www.nc.ee/?id=11&tekst=222509079; case nr: 3-1-1-8307. Decision made on 21 April, 2008.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing would likely be:
- a violation of the data protection act, since the credentials of
natural persons are likely to be considered personal data which
are being unlawfully processed;
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal data interference, if the act of phishing involved entering,
changing or deleting information in an information system
without authorisation or mislead users into giving away sensitive
information.
Case law available?
No known case law.
254
RAND Europe
National Profiles
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
The act of using falsified identity documents would likely be:
- violation of Data Protection Act since personal data is being
unlawfully processed;
- such an incident would likely involve violation of § 157(2) and
§ 344 -349 of Estonian Penal Code.
Case law available?
For example the Estonian Supreme Court ruled on a case in
2009 where a person falsified an important identity document (ex
§ 347 of the Criminal Code), id est a passport, to conclude a
buying contract of mobile phones.
Estonian
version
of
the
decision:
http://www.nc.ee/?id=11&tekst=RK/3-1-1-48-09; case nr: 3-1-148-09. Decision made on 8 June, 2009.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- violation of Data Protection Act. Personal information would
be unlawfully processed and consent of data subject is needed
when processing personal data;
- violation of communication secrecy laws, if the personal
information contained data related to electronic communication.
Case law available?
No known case law.
ID theft reporting mechanisms
Victims of ID theft or identity-related incidents are recommended to contact the local
Police directly. The website118 of the Estonian Police and Border Guard Board provides for
information about ID crimes and how to protect ourselves for that and how to contact the
police if you are a victim of ID theft or IT crime. The police also provides for information
about fraud and computer-related fraud.
To raise Computer Security and ID theft awareness among the general public several
websites have been launched:
118
http://www.politsei.ee/et/nouanded/it-kuriteod/
255
RAND Europe
National Profiles
•
http://www.arvutikaitse.ee (a blog style website on information security – reflects
up to date online threats; provides for information on anti-virus and anti-spyware software
etc.);
•
http://www.infosecurity.ee
(a
Russian
language
version
of
the
http://www.arvutikaitse.ee website, however the content is not 100 percent identical);
•
http://laste.arvutikaitse.ee (a website directed at children and youths in an effort to
raise awareness of online risks among these age groups);
•
http://www.assapauk.ee (contains reconstructed educational videos on actual cases
of persons falling victim of online malpractices; the website also includes instructional
videos on how to reduce online risks, ie, about how to protec your password, to choose a
strong password, about identity theft and protection of privacy online, about avoiding
suspicious content).
Personal assessment of the framework for combating ID theft
The legal framework for combating ID theft incidents in Estonia is sufficiently
comprehensive and flexible. There do not appear to be any examples of ID theft incidents
which are not covered under present legislation.
The only weakness is that the country does not have any ID theft reporting mechanisms
(websites) but there is always the possibility to report the malpractice to the Police.
Victims of ID theft are required to go through official channels to report about the theft
(ie, registering a complaint with local police). This process can be slow and it seems that
ID theft does not appear to take high priority in investigations, except in case of clear and
significant harm to the victim, even if it can be quite hard to produce evidence of it.
256
RAND Europe
National Profiles
Finland
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Finland that focuses explicitly on ID theft as a
specific crime, or that defines such theft as a crime. However, stealing and/or using
someone else’s ID would most likely constitute violation of other provisions of law (eg,
Personal Data Act, 523/1999, and Criminal Code, 39/1889).
The Finnish Ministry of the Interior has set up a working party to assess the protection of
ID by legal means and the report of the work should be published during the spring of
2010. Pursuant to the initial information given by the Ministry of the Interior, the
working party will not be proposing criminalization of ID theft as a specific crime but will
submit this issue to be further considered by the Finnish Ministry of Justice.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Personal Data Act (in Finnish: Henkilötietolaki, 523/1999)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1999/19990523
Main provisions in The Personal Data Act is the main Act in Finland in relation to
relation to ID theft
protection of privacy and most of the rules of this Act are
implemented from the Data Protection Directive (95/46/EC).
The provisions of the Act apply to the processing of personal
data, unless otherwise provided elsewhere in the law. For
example, Section 8 defines general prerequisites for processing
personal data and Section 13 includes the rules on processing of a
personal identity number.
Prescribed sanction
There are several possible sanctions. The authority in question
(the Data Protection Ombudsman) may prohibit the processing
of personal data and such prohibition may be reinforced with a
threat of fine. Further, the violation of the Personal Data Act
may be criminally sanctioned with fines unless a more severe
penalty is provided in the Criminal Code.
257
RAND Europe
National Profiles
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant law
The Act on the Protection of Privacy in Electronic
Communications (Sähköisen viestinnän tietosuojalaki 516/2004)
Reference
See
http://www.finlex.fi/fi/laki/alkup/2004/20040516
Main provisions in
relation to ID theft
Section 4, Confidentiality of messages: as a general principle all
messages and identification data are confidential.
Section 5, Non-exploitation: the use of the content of a
confidential message or identification data is forbidden without
the consent of a party to the communication.
Section 6, Protecting messages and identification data: the
possession, importing, manufacture and distribution of any
system or part of a system for decoding the technical protection
of electronic communications is prohibited if the system is
primarily intended for unlawful decoding of technical
protection.
Prescribed sanction
The sanctions for wilful violations of the provisions can be fines
unless a more severe penalty is provided elsewhere in legislation.
Communications secrecy laws – contents of electronic communication
Relevant law
Criminal Code (Rikoslaki, 39/1889)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001
Main provisions in Chapter 38 of the Criminal Code defines the data and
relation to ID theft
communications offences. The following provisions can be
applicable:
Section 3, Message interception: hacking into the contents of an
electronic or other technically recorded message which is
protected from outsiders or obtaining information on these
contents.
Section 4, Aggravated message interception: for example if in the
message interception the offence is committed by using a
computer program or special technical device designed or altered
for such purpose, or the message that is object of the offence is
especially confidential, or the act constitutes a grave violation of
the protection of privacy.
258
RAND Europe
Prescribed sanction
National Profiles
The sanctions for violations can be the following:
•
Violations of section 3 can be sanctioned with a fine or
an imprisonment for up to one year at the most.
•
Violations of section 4 can be sanctioned with an
imprisonment for up to three years at the most.
Fraud
Relevant
Relevant law
Criminal Code (Rikoslaki, 39/1889)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001
Main provisions in Fraud is punished by Sections 1, 2 and 3 of Chapter 36 of the
relation to ID theft
Criminal Code as follows:
Section 1, Fraud: causing economic loss by deceiving another or
taking advantage of an error of another and the offence is
committed in order to obtain financial benefit or in order to
harm another.
Section 2, Aggravated fraud: for example if the fraud involves
the seeking of considerable benefit, causes considerable or
particularly significant loss, is committed by taking advantage of
special confidence based on a position of trust or is committed
by taking advantage of special weakness or other insecure
position of another.
Section 3, Petty fraud
These provisions would apply to any ID theft incidents involving
the use of a falsified identity to appropriate property.
Prescribed sanction
The sanctions for violations can be the following:
•
Violations of section 1 can be criminally sanctioned with
a fine or an imprisonment for up to two years at the
most.
•
Violations of section 2 can be criminally sanctioned with
an imprisonment between four months and four years,
ie, for four months at least and four years at the most.
•
Violations of section 3 can be criminally sanctioned with
a fine.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
259
RAND Europe
National Profiles
Relevant law
Criminal Code (Rikoslaki, 39/1889)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001
Main provisions in Forgery is punished by Sections 1, 2 and 3 of Chapter 33 of the
relation to ID theft
Criminal Code as follows:
Section 1, Forgery: Preparing a false document or other item of
falsifying such a document or item in order for it to be used as
misleading evidence or using a false or falsified item as
misleading evidence.
Section 2, Aggravated forgery.
Section 3, Petty forgery.
These provisions would apply to any ID theft incidents involving
the falsified document of for example the other person’s passport,
driving license etc. used by the means of misleading.
Prescribed sanction
The sanctions for violations can be the following:
•
Violations of section 1 can be criminally sanctioned with
a fine or an imprisonment for up to two years at the
most.
•
Violations of section 2 can be criminally sanctioned with
an imprisonment between four months and four years,
ie, for four months at least and four years at the most.
•
Violations of section 3 can be criminally sanctioned with
a fine.
Defamation
Relevant
Relevant law
Criminal Code (Rikoslaki, 39/1889)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001
Main provisions in Defamation is punished by Sections 19 and 10 of Chapter 24 of
relation to ID theft
the Criminal Code as follows:
Section 9, Defamation: Spreading false information or a false
insinuation of another person so that the act is conducive to
causing damage or suffering to that person or subjecting that
person to contempt.
Section 10, Aggravated defamation: for example when the
offence is committed by using the mass media or making the
information available to many persons.
260
RAND Europe
Prescribed sanction
National Profiles
Defamation can be related to ID thefts when someone uses a
false identity for example in the media and writes something that
is conductive to causing damage or suffering to the victim of ID
theft. (Writing with a stolen identity is not a crime unless the act
constitutes an offence.)
The sanctions for violations can be the following:
•
Violations of section 9 can be criminally sanctioned with
a fine or imprisonment for up to six months at the most.
•
Violations of section 10 can be criminally sanctioned
with a fine or an imprisonment for up to two years at the
most.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (Rikoslaki, 39/1889)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001
Main provisions in Chapter 38 of the criminal code defines the data and
relation to ID theft
communications offences. The following provisions can be
applicable:
Section 8, Computer break-in: Unlawful hacking into computer
systems, where data is processed, stored or transmitted
electronically or otherwise, by using stolen access codes or
otherwise breaking a protection. Also without hacking into a
computer system by using a special technical device unlawfully
obtaining information contained in a computer system is
criminal.
Section 8 a, Aggravated computer break-in: The above defined
(Section 8) actions conducted as part of the activity of a
organized criminal group, or in a particularly methodical
manner and the computer break-in is aggravated also when
assessed as a whole.
Section 9, Data protection offence: processing data in violation
of the Personal Data Act by the way of causing damage or
significant inconvenience to another person is prohibited.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, or to steal credentials from such a system.
261
RAND Europe
Prescribed sanction
National Profiles
The sanctions for violations can be the following:
•
Violations of section 8 can be sanctioned with a fine or
an imprisonment for up to one year at the most.
•
Violations of section 8 a can be sanctioned with a fine or
an imprisonment for up to two years at the most.
•
Violations of section 9 can be sanctioned with a fine or
an imprisonment for up to one year at the most.
Cybercrime – illegal data interference
Relevant law
Criminal Code (Rikoslaki, 39/1889)
Reference
See
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001
Main provisions in Chapter 38 of the criminal code defines the data and
relation to ID theft
communications offences which can be:
Section 7 a, Interference in a computer system: entering,
transferring, damaging, altering or deleting data or in another
manner unlawfully preventing the operation of a computer
system or causing serious interference.
Section 7 b, Aggravated Interference in a computer system.
This would apply to any ID theft incidents involving the
falsifying of identity information stored in an information
system.
Prescribed sanction
The sanctions for violations can be the following:
•
Violations of section 7 a can be criminally sanctioned
with a fine or an imprisonment for up to two years at the
most.
•
Violations of section 7 b can be sanctioned with an
imprisonment between four months and four years, ie,
for four months at least and four years at the most.
Cybercrime – computercomputer-related forgery
Relevant law
Reference
Please see above the information on forgery.
Main provisions
provisions in
relation to ID theft
262
RAND Europe
National Profiles
Prescribed sanction
Cybercrime – computercomputer-related fraud
Relevant law
Reference
Main provisions in Please see above the information on fraud.
relation to ID theft
Prescribed sanction
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of the Personal Data Act, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (for example publication of the victim's name,
address, photo, etc.);
- violation of the Act on the Protection of Privacy in Electronic
Communications, if the false profile results in messages being
sent to the false profile which were intended for the real
recipient;
- forgery, if the forgery changed the legal impact of the
information;
- fraud, if the false identity was used to unlawfully appropriate
property.
- defamation, if the false identity was used in a way that would be
conductive to causing damage or suffering to the victim of ID
theft.
Case law available?
No known case law, ie, we are not aware of any case law.
Unlawfully using another person’s credentials (eg,
(eg, using
using someone else’s username or
password to send emails
emails in his/her name)
Applicabl
e law(s)
Most of the qualifications above could apply, depending on how the
credentials were used:
- violation of the Personal Data Act, since the credentials are likely to be
263
RAND Europe
National Profiles
considered as personal data which is being unlawfully processed;
- violation of the Act on the Protection of Privacy in Electronic
Communications, if use of the credentials can be qualified as unlawful access
to data related to electronic communication (for example to make bank
transfers);
- fraud, if falsified messages were sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were used to access a
system without authorisation.
Case law There are several cases specifically in relation to using a third party’s stolen
available? credit card. Paying purchases with a stolen credit card is considered as a fraud
in Finland. However, most of these offences are not made on-line.
For example, in 2009 the Kouvola Court of Appeal ruled that usage of a
found credit card and falsifying the signature when paying by the card
constituted a fraud and forgery.
The defendant was sentenced to imprisonment for one month but the
sentence included two petty thefts as well (the district court had sentenced
him to imprisonment for two months).
A
copy
of
the
decision
can
be
found
here:
http://www.edilex.fi/oikeuskaytanto/ho/kouho20091207/?search=oikeuskayta
nto.
Phishing (using emails
emails and/or falsified websites to trick users into giving
giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of the Personal Data Act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of the Act on the Protection of Privacy in Electronic
Communications, if the collection of the credentials can be
qualified as unlawful access to data related to electronic
communication;
- fraud, if falsified messages were sent to unlawfully appropriate
property;
- illegal data interference, if the act of phishing involved entering,
changing or deleting information in an information system
without authorisation (for example in order to falsify a website).
Case law available?
No known case law, ie, we are not aware of any case law.
264
RAND Europe
National Profiles
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- a violation of the Personal Data Act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of the act on the Protection of Privacy in Electronic
Communications, if the collection of the credentials can be
qualified as unlawful access to data related to electronic
communication;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
Case law available?
No known case law, ie, we are not aware of any case law.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information could
be:
- a violation of the Personal Data Act, since the personal
information would be unlawfully processed;
- a violation of the Act on the Protection of Privacy in Electronic
Communications , if the personal information contained data
related to electronic communication (like email addresses, IP
addresses, etc).
Case law available?
No known case law, ie, we are not aware of any case law.
ID theft reporting mechanisms
http://www.poliisi.fi
In Finland one can report ID theft to a police if it involves a suspected
crime. It is possible to do an electrical report of an offence via police’s
website. The website offers special forms for reporting crimes.
265
RAND Europe
National Profiles
http://www.viestintavirasto.fi
Finnish Communications Regulatory Authority (in Finnish:
Viestintävirasto) is an authority which maintains an overview of the
functionality of electronic communications networks and information
security, and reports of eventual information security threats. There is a
form for reporting information security offences available in the website
as well as basic instructions on information security matters.
http://www.tietosuoja.fi
It is possible to inform all cases which involve the misuse of personal data
to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun
toimisto) which is an independent authority operating in connection with
the Ministry of Justice. The website includes a lot of information on data
protection in general as well.
http://www.kuluttajavirasto.fi
The Consumer Agency (Kuluttajavirasto) offers practical information and
advices on various matters relating to consumers. The website presents
information on for example phishing of personal data.
Personal assessment of the framework for combating ID theft
The main challenge/problem in Finland seems to be that ID theft itself is not criminalized
and so the Criminal Code covers certain forms/types of ID thefts only. As described above,
ID theft is not a criminal offence unless it involves unlawfully appropriating of property
(fraud) or spreading false information or a false insinuation of another person so that the
act is conducive to causing damage or suffering to that person or subjecting that person to
contempt (defamation).
Further, one can argue it is problematic that in cases of fraud the injured party of ID theft
is not considered to be the person whose identity has been stolen but for example the store
where the purchase was made with the false ID. Based on the above, one can likely argue
the current legislation does not protect the ‘real’ injured party enough.
The Finnish Data Protection Ombudsman is of the opinion that ID theft (itself) should be
criminalized in Finland; he has several times and strongly expressed his opinion in the
media. However, it has been stated by the working party of the Finnish Ministry of the
Interior (as described in Section 1.1. above) that from the technical legislative perspective
(formulation/wording of the legislation etc.) criminalizing of ID theft is a relatively
complicated matter.
266
RAND Europe
National Profiles
France
Applicable laws
Laws focusing explicitly on ID theft
The French Criminal Code contains a specific provision for ID theft (Article 434-23). In
order an ID theft to qualify as crime, two conditions should be met:
(1) the thief has to assume the name of another person. The Supreme Court has
recently ruled in that sense that the concept of name should include an email
address.119 However, the use of a false name that does not correspond to an
existing natural person will not fall under the scope of application of this article.120
(2) the ID theft should lead or might have led to the initiation of a criminal
prosecution against the victim. This is for instance the case if the ID theft prevents
the victim from obtaining a French passport to which he is entitled.121
The wording of this article therefore leaves out a number of cases wherever ID theft does
not trigger any legal or economic consequence for the victim. Such acts are nowadays
pursued under other crimes such as libel or misappropriation of correspondence. However,
conducts which do not constitute by themselves a crime will remain unpunished. This is
for instance the case of fraudulent use of emails by third parties for, for example, affiliating
the victim to a political party or other associations. Similarly, phishing can not be currently
punished under Criminal Law if not followed by potential initiation of criminal
prosecution against the victim.
In order to solve this legal loophole, the creation of a new crime that would punish ID
theft in electronic communications is currently being discussed by the French Parliament.
If approved, the act (known as LOPPSI 2122) would introduce a new article into the
Criminal Law Code. The text has been so far approved by both Chambers in first reading.
The article 2 of LOPPSI 2 introduces a new article 222-16-1 to the Criminal Code
worded as follows (according to the version approved by the Parliament on 16 February
2010):123
119
Cour de Cassation, Chambre Criminelle, 20 January 2009. Available online at :
http://www.foruminternet.org/specialistes/veille-juridique/jurisprudence/cour-de-cassation-chambrecriminelle-20-janvier-2009-2852.html?decoupe_recherche=usurpation%20d'identité
120
Cour de Cassation, Chambre criminelle, 10 Mars 2010, N° 09-81.948, not published
121
Cour de Cassation, Chambre criminelle, 26 May 2009, N° 08-87.752, not published
122
Loi d’orientation et de programmation pour la performance de la sécurité intérieure (LOPPSI2), the
preparatory works are available online at : http://www.assembleenationale.fr/13/dossiers/lopsi_performance.asp
123
Unofficial translation. The French text reads as follows: « Le fait de faire usage, sur un réseau de
communications électroniques, de l’identité d’un tiers ou de données de toute nature permettant de l’identifier, en vue
267
RAND Europe
National Profiles
‘The fact of using on a network of electronic communications, the identity of another
person or data of any kind that allows his of her identification in order to disturb the peace
of that person or another person is punishable by one year of imprisonment and a fine of
15,000 €.
Shall be punished in similar terms the fact of making use, on an electronic communication
network, of the identity of another person or data of any kind that allows his or her
identification, in order to affect his/her honour or consideration.’
Two modifications were made to the text as originally worded in the Law proposal: 1) the
condition of repetition, originally foreseen to qualify the ID theft as crime (in the first of
the two cases contemplated by this article) was suppressed; 2) the reference to ‘data of any
kind allowing for the identification of the victim’ has replaced the original one of victim’s
‘personal data’. Both modifications contribute to the broadening of the scope of this
article.
As now worded, the crime of ID theft counts of two elements:
•
Material element: the use of a third party’ identity or of any other data allowing his or
her identification on an electronic communication network. This includes the
fraudulent use of emails but also the fraudulent posting in blogs or social
networking sites. The rapporteur, Eric Ciotti, clearly indicates that this article
intends to punish ID thefts that would not trigger economic consequences but the
victim but of less tangible impact such as in case of defamation.
•
Intentional element: this use should pursue the aim of disturbing the peace of a third
party or impinge on his or her honour or reputation.
This new article would be placed under Title II of Book II of the Legislative Part of the
Penal Code entitled « deliberate damage to physicial or mental integrity of persons » ( «
atteintes volontaires à l’intégrité physique ou psychiques des personnes »), after article 222-16
that punishes malicious calls. In this sense, the rapporteur notes that the very object of the
ID theft as worded under the new article, disturbance of public peace, is similar to the one
of malicious calls.
The new article 222-16-1 foresees identical sanctions as the ones for malicious calls : one
year prison term and 15.000€ fine. These sanctions are aggravated when the ID theft is
committed by a legal person. The amount of the fine is raised to 75.000 €. Legal persons
can moreover be dissolved (when the legal person has been created to perpetuate the
de troubler la tranquillité de cette personne ou d’autrui, est puni d’un an d’emprisonnement et de 15.000€
d’amende.
Est puni de la même peine le fait de faire usage, sur un réseau de communication électroniques, de l’identité d’un tiers
ou de données de toute nature permettant de l’identifier, en vue de porter atteinte à son honneur ou à sa
considération »
268
RAND Europe
National Profiles
crime); a temporary or definitive prohibition to exercise, directly or indirectly, the social or
professional activity in which the offense has been committed, can be ordered, as well as a
placement under judicial supervision or exclusion or suspension of public procurement
(article 139 of the Criminal Code).
Other laws that may apply to ID theft incidents
The right to privacy
Relevant law
Civil Code
Reference
See
http://www.legifrance.gov.fr
Main provisions in Article 9 of the Civil Code acknowledges a right to privacy. Theft
relation to ID theft
incident because they often result in the disclosing of information
related to the victim’s privacy might interfere into this right.
Prescribed sanction
Read together with article 1382 of the Civil Code that regulates
civil liability, violations of the right to privacy will result in the
compensation for the injury suffered by the victim.
Data protection laws
Relevant law
Act n°78-17 of 6 January 1978 on data processing, data files and
individual liberties (Loi n° 78-17 du 6 Janvier 1978 relative à
l'informatique, aux fichiers et aux libertés)
Reference
See
http://www.cnil.fr/en-savoir-plus/textes-fondateurs/loi78-17/
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation
incidents will constitute an unlawful processing, whenever it is
rela tion to ID theft
based on an automatic processing of personal data or a nonautomatic processing of personal data that is or may be contained
in a personal data filing system.
It would then violate legitimacy requirements (article 7),
proportionality obligations and the purpose restriction (article 6),
transparency obligations (article 32), security obligations (article
34) and formal obligations such as the prior notification to the
French Privacy Commission (article 22).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with five years prison terms and fines of 300.000
EUR.
269
RAND Europe
National Profiles
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code (Code Pénal)
Reference
See http://195.83.177.9/code/index.phtml?lang=uk
Main provisions in Forgery is punished by Article 441-1 and following of the
relation to ID theft
Criminal Code, and refers to any fraudulent alteration of the
truth liable to cause harm and made by any means in a document
or other medium of expression of which the object is, or effect
may be, to provide evidence of a right or of a situation carrying
legal consequences. Articles 441-2 and following punish a series
of aggravate conducts:
Prescribed sanction
•
Art. 441-2: forgeries committed in a document delivered
by a public body for the purpose of establishing a right,
an identity or a capacity, or to grant an authorisation;
•
Art. 441-3: forgeries in an authentic or public document
or a record prescribed by a public authority;
•
Art. 441-5: Unlawfully procuring for another person a
document delivered by a public body for the purpose of
establishing a right, an identity or capacity, or the grant
of an authorisation.
•
Art. 441-6: Unlawfully obtaining from a public
administration or from an institution discharging a
public service mission, by any fraudulent means, any
document intended to establish a right, an identity or a
capacity, or to grant an authorisation
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 441-1 (general public) can be
criminally sanctioned with imprisonment of 3 years and
a fine of 45.000€.
•
Violations of article 441-2 can be criminally sanctioned
with imprisonment of 5 years and a fine of 75.000€.
When committed by a person holding public authority
or discharging a public service mission acting in the
exercise of his office; habitually or with the intent to
facilitate the commission of a felony or to gain immunity
for the perpetrator, sanctions can be increased up to 7
years’ imprisonment and a fine of 100.000€.
•
Violations of article 441-3 can be criminally sanctioned
with imprisonment of 2 years and a fine of 30.000€.
270
RAND Europe
National Profiles
•
Violations of article 441-4 can be criminally sanctioned
with imprisonment of 10 years and 150.000€ fine. If
committed by a person holding public authority or to
discharge a public service mission whilst acting in the
exercise of his office or mission, sanctions could amount
to 15 years’ imprisonment and 225.000€’s fine.
•
Violations of article 441-5 can be criminally punished by
5 years’ imprisonment and a fine of 75.000€. If
committed by a person holding public authority or to
discharge a public service mission whilst acting in the
exercise of his office or mission, sanctions could amount
to 7 years and 100.000€ fines.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code
Reference
See http://195.83.177.9/code/index.phtml?lang=uk
Main provisions in Illegal access to information systems is punished by Article 323-1
relation to ID theft
of the Criminal Code, including accessing or remaining within
all or part of an automated data processing system, causing the
suppression or modification of data contained in that system or
any alteration of the functioning of that system.
Article 323-2 forbids obstructing or interfering with the
functioning of an automated data processing system.
Article 323-3 punishes the fraudulent introduction of data in an
automated data processing system or the fraudulent deletion or
modification of the data that it contains.
Article 323-3-1 sanctions persons who, without lawful authority,
imports, possesses, offers, transfers or makes available any
equipment, instrument, computer programme or information
created or specially adapted to commit one or more of the
offences prohibited by articles 323-1 to 323-3.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, to steal credentials from such a system, or to fraudulently
introduce or alter information within a computer system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 323-1 can be criminally sanctioned
with fines of 30.000 EUR and imprisonment of 2 years.
•
Violations of article 323-2 can be criminally sanctioned
271
RAND Europe
National Profiles
Brand counterfeiting
Relevant law
Intellectual Property Code
Reference
See:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEX
T000006070722&dateTexte=vig
Main provisions in Articles L.713-1 and following prohibit, unless authorized by the
relation to ID theft
owner of the brand:
•
The reproduction, use or affixing of a mark
•
The suppression or modification of a duly affixed mark
•
The imitation of a mark and the use of an imitated mark
for goods or services that are identical or similar to those
designated in the registration
This article may be used in cases such as phishing where the ID
theft results in the unlawful use of the victim brand.
Prescribed sanction
Violations of this article may result in a fine up to three years of
imprisonment and a fine up to 300.000€.
with fines of 75.000 EUR and imprisonment of 5 years.
•
Violations of article 323-3 can be criminally sanctioned
with fines of 75.000 EUR and imprisonment of 5 years.
•
Violations of article 323-3-1 can be punished by the
penalties prescribed for offence itself.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- Civil liability
- ID theft if this result or may have led to criminal liability for
the victim
- Violation of the right to privacy and of data protection laws,
since personal data of the victim would likely be unlawfully
processed to make the false identity believable (eg, publication of
the victim's name, address, photo, etc.);
- Violation of communication secrecy laws, if the false profile
results in messages being sent to the false profile which were
intended for the real recipient;
- ID theft in the sense of art. 434-23 if this leads or may have led
272
RAND Europe
National Profiles
criminal liability for the victim.
- Forgery and/or computer-related forgery, if the object is, or
effect may be, to provide evidence of a right or of a situation
carrying legal consequences
-Fraud and/or computer-related fraud, if the false identity was
used to unlawfully transfer funds, valuables or any property, to
provide a service or to consent to an act incurring or discharging
an obligation.
Case law available?
Yes. Ruling of the First Instance Tribunal [Tribunal de Grande
Instance] of Carcassonne of 16 June 2006. In this case, a woman
used different pseudonyms in a dating service website and
described herself as an ‘easy woman willing to have sexual
relations’. She provided her colleague’s contact details who
started receiving numerous messages from individuals eager to
meet her. As a result, the colleague fell into a depression and had
to ask for sickness leave.
The convicted woman was deemed liable for volunteer duress
(violences volontaires) with premeditation and had to compensate
both her victim and the Public Health Insurance.
A copy of the decision can be found here:
http://www.legalis.net/breves-article.php3?id_article=1645
Unlawfully using another person’s credentials (eg
(eg,
eg , using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- - ID theft if this result or may have led to criminal liability for
the victim
- Violation of the right to privacy and of the data protection act,
since the credentials are likely to be considered personal data
which is being unlawfully processed;
- violation of communication secrecy laws, if use of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully transfer funds, valuables or any property, to
provide a service or to consent to an act incurring or discharging
an obligation.
- illegal access to information systems, if the credentials were used
to access a system without authorisation.
273
RAND Europe
Case law available?
National Profiles
Yes, Ruling of the Supreme Court of 20 January 2009. The
authors of the crime had published pictures of the victim naked
on Internet making use of her email address. The offenders have
been convicted on the basis of article 434-23 of the Penal Code
(ID theft) and the right to privacy.
Decision
available
at:
http://www.foruminternet.org/specialistes/veillejuridique/jurisprudence/cour-de-cassation-chambre-criminelle20-janvier-2009-2852.html
Libel
Relevant law
Press Act of 29 July 1881
Reference
See:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEX
T000006070722&dateTexte=vig
Main provisions
provisions in Article 29 punishes any allegation of a fact which undermines the
relation to ID theft
honour or reputation of the person or body to which the act is
attributed
Prescribed sanction
Violations of this article may result in a fine up to 12.000€. When
libel is committed because of the race, religion, gender, sexual
orientation or physical handicap, sanctions arise to 1 year of
imprisonment and a fine of 45.000€.
Using spyware to obtain identity information
information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
274
RAND Europe
National Profiles
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
- ID theft, if the stolen data would be qualified as ‘name’ by the
jurisprudence (such as emails) and if this could resul tin criminal
liability for the victim.
Case law available?
No known case law.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketers)
market ers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
Case law available?
No known case law.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information
informat ion to log on to someone else’s bank
account)
Applicable
law(s)
The act of phishing itself (independent from what the perpetrator would do
with the stolen information) would likely be:
- a violation of the data protection act, since the credentials are likely to be
considered personal data which is being unlawfully processed;
- fraud and/or computer-related fraud, if the false identity is used to
unlawfully transfer funds, valuables or any property, to provide a service or
to consent to an act incurring or discharging an obligation.
- illegal access to information systems, if the false identity were used to
access a system without authorisation.
- Brand counterfeiting
Case law Yes, two rulings of the High Court of Paris of 2 September 2004 and 21st
available?
September 2005.
In the ruling of 2004, the First Instance Tribunal of Paris sanctioned a
phishing attack on the basis of fraud, unlawful access to a computer system
and unlawful alteration of data contained in such system. The convicted had
mirrored a bank website and by these means managed to order transfers of
funds of his victims to chosen bank accounts.1 The offender has also been
convicted for attempted fraud and fraudulent access to an automated data
275
RAND Europe
National Profiles
processing system and received a suspended prison sentence of one year and
a fine of 8,500 euros.1
In the ruling of 2005, the Court punished a phishing act on the basis of
brand counterfeiting. The Court considered that this mirror website owned
illegally the brand Microsoft and reproduced and disclosed without prior
authorisation the registration page of MSN Hotmail. 1 The sanction remains
however low (500 euros of fine in suspended sentenced and 700 euros of
damages to be paid to Microsoft) because of the young age of the offender
and the fact that no personal data had been gathered.
These ruling are available online at:
•
Tribunal de Grande Instance de Paris, 13rd Chambre, 2 September
2004, Ministère public, Crédit Lyonnais et Caisse nationale du
Crédit
agricole
c/
Radhouan
M.
et
autres:
http://www.foruminternet.org/specialistes/veillejuridique/jurisprudence/tribunal-de-grande-instance-de-paris-13echambre-2-septembre-2004.html
•
Tribunal de grande instance de Paris 31ème chambre Jugement du
21 septembre 2005, Microsoft Corporation / Robin B. :
http://www.legalis.net/jurisprudence-decision.php3?id_article=1520
Example of case law about ID theft and official documents forgery:
The Appeal Court of Amiens (Criminal Chamber) has ruled in a judgement of 16
September 2009 ( n°09/00345)that the acquisition of a third party’s passport where the
offender had further replace the photography of the third party by his, and the use of this
passport to move across France and other countries was constitutive of the crime of ID
theft as punished under article 434-23 of the Criminal Code. The offender had also used
the falsified identity to buy a car, register this car before the public administration and
obtain a driving license unlawfully. The act is also punished under the crime of fraud and
use of official documents forgery (articles 441-1, 441-2, 441-3 of the Criminal Code). The
Appeal Court confirms the judgement of the First Instance Tribunal of two years
imprisonment for ID theft and other 2 years for fraud and document forgery.
ID theft reporting mechanisms
There are no specific ID theft reporting mechanisms in France.
Several public awareness campaigns have been launched on the basis of private initiatives,
mainly related to financial ID theft.
As online consultation of bank accounts and conducting online transactions have become
the second activity of French Internet users, French banks have undertaken initiatives to
276
RAND Europe
National Profiles
raise awareness of the risks involved in online banking to Internet users. The Federation of
French Banks, FBF [Fédération Bancaire Française], helped to sponsor a campaign to help
teach people how to use the Internet safely. As part of this almost three million brochures,
comics and books were distributed in branch offices (of banks) and on bank websites.
Advice was included on how to detect and avoid phishing, and the importance of antivirus software on computers. Banks also sent letters to their customers and post alert
messages online warning of potential dangers. The FBF regularly update their practical
guide to secure online banking which is available on www.fbf.fr and
www.lesclesdelabanque.com websites.124
In addition, e-commerce actors have offered specific tool bars to enable users to identify
secure websites.125
The Forum of Rights on Internet also published several on-line guides and fact sheets for
Internet users in order to provide them with useful tools for preventing abuses or
defending themselves against such abuses. It is worth mentioning, for instance, the guide
on on-line shopping126 published on the 17 November 2005 and updated regularly since
then, which furthermore includes some advice against phishing. This guide includes advices
for every step of the purchase, from the selection of the online merchant to the payment
process and the exiting recourses in case of problem. A specific part is dedicated to C2C
websites. The edition of 2008 furthermore includes advices on online video games and
online trips booking. The guide ends with a short quiz.
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents in France is
sufficiently comprehensive, as there appear to be few examples of ID theft incidents which
are not covered under present legislation. Actually, identity fraud offence as punished
under the Criminal Code is hardly used in legal procedures when it comes to online
identity fraud. Other crimes are better suited to protect the victims from these practices
such as fraud or unauthorised access to an information system. However, whenever
identity theft does constitute by itself an offense, for instance when a person steals the
digital identity of another without further using it, it would remain unprotected.
124
Information extracted from FBF, Press release ‘Banks mobilise to increase Internet security’, 31 December
2005, available on-line at:
http://www.fbf.fr/web/internet/content_europe.nsf/(WebPageList)/662BED67AF6A21F4C12571710056085
8 (last accessed on 31 October 2007)
125
C. Guillemin, Des barres d'outils pour Internet Explorer et Firefox protègent du ‘phishing’, ZdNet, 4
January 2005.
126
Forum des droits sur l’Internet, Online purchase : follow the guide [Achats en ligne : suivez le guide], edition
2008 available on-line at :
http://www.foruminternet.org/particuliers/guides/IMG/pdf/Guidedesachatsenligne2008.pdf, last accessed on 3
December 2007
277
RAND Europe
National Profiles
The introduction of a new crime of digital ID theft will solve this legal loophole and better
address the problems raised by online ID theft. The last wording of the article would allow
covering a broad range of cases, not limited by the concept of ‘name’ or of ‘personal data’.
278
RAND Europe
National Profiles
Germany
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Germany that focuses explicitly on ID theft as a
specific crime and hence defines such an ID theft crime. In practice, ID theft incidents are
combated using the general provisions of the laws set forth below, in particular in relation
to the laws concerning the right to one’s own name, the protection of personal data against
unauthorised use, and the criminal offences of data espionage, data interception, datarelated forgery, fraud, computer-related fraud, data alteration and computer sabotage.
No legislative initiative that specifically addresses ID theft prevention is currently under
consideration to our knowledge. Instead, as information security and ID theft concerns rise
in society, the policy debate in Germany increasingly focuses on improving awareness of
ID theft risks with consumers, businesses, state agencies and law enforcement bodies.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Reference
1.
Federal Data Protection Act (Bundesdatenschutz-gesetz;
Abbreviation: BDSG), in the version promulgated on 14
January 2003, last amended by law of 14 August 2009; and
complementary the respective data protection legislation of
the federal states
2.
Telecommunications
Act
(Telekommunikations-gesetz;
Abbreviation: TKG), in the version promulgated on 22 June
2004, last amended by law of 17 February 2010; in
particular sections 88 ff. TKG concerning secrecy of
telecommunications, and sections 91 ff. TKG concerning
protection of data privacy
3.
Teleservices Act (Gesetz über die Nutzung von Telemedien;
Abbreviation: TMG), in the version promulgated on 26
February 2007, last amended by law of 14 August 2009; in
particular sections 11 ff. TMG concerning protection of
data privacy
1.
BDSG:
http://bundesrecht.juris.de/bdsg_1990/
2.
TKG:
http://bundesrecht.juris.de/tkg_2004/
279
RAND Europe
National Profiles
3.
TMG:
http://bundesrecht.juris.de/tmg/
Main provisions in ID theft incidents will typically constitute unlawful data
relation
processing, in particular because ID theft incidents requiring the
relat ion to ID theft
unauthorised collection, alteration, transmission and use of
personal data may involve the violation of legitimacy
requirements, permission requirements, transparency obligations,
secrecy obligations, security obligations and reporting
requirements.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of certain BDSG provisions may be
punished by administrative fines of up to 50.000 EUR (section
43 (1), (3) BDSG), or of up to 300.000 EUR (section 43 (2), (3)
BDSG, and violations of certain TKG provisions may be
punished by administrative fines of up to 10.000 EUR, of up to
50.000 EUR, of up to 100.000 EUR, of up to 300.000 EUR, or
of up to 500.000 EUR (section 149 (1), (2) TKG), and
violations of certain TMG provisions may be punished by
administrative fines of up to 50.000 EUR (section 16 (2), (3)
TMG).
As a basic principle, administrative fines for violations against
BDSG or TKG provisions shall exceed the economic benefit that
the proprietor has obtained from such administrative offence.
Furthermore, violations of certain BDSG provisions may be
punished as a criminal offence with imprisonment of not more
than 2 years or a fine if the proprietor has deliberately acted with
the intent to obtain unlawful gain or cause unlawful damage
(sections 43 (2), 44 (1) BDSG), and violations of certain TKG
provisions concerning secrecy of telecommunications may be
punished as a criminal offence with imprisonment of not more
than 2 years or a fine (sections 89, 148 (1) Nr.1 TKG).
Communications secrecy laws concerning electronic communication
Relevant law
1.
Telecommunications
Act
(Telekommunikations-gesetz;
Abbreviation: TKG), in the version promulgated on 22 June
2004, last amended by law of 17 February 2010; in
particular sections 88 ff. TKG concerning secrecy of
telecommunications
2.
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended
by law of 2 October 2009
280
RAND Europe
Reference
National Profiles
1.
TKG:
http://bundesrecht.juris.de/tkg_2004/
2.
StGB:
http://bundesrecht.juris.de/stgb/
Main provisions in Sections 88 ff. TKG aim to protect the secrecy of
relation
telecommunications. Any form of online electronic data
relation to ID theft
interchange is within their scope. In particular, section 88 TKG
generally applies to unlawful acts in which a third party obtains
information on someone else’s electronic communications or its
technical characteristics – such as protocols, IP addresses,
passwords, or security codes used – without permission and in
which this information is abused.
Apart from sections 88 ff. TKG, the secrecy of data transmission
is protected by section 202b StGB. Section 202b StGB
criminalises illegal data interception: Whosoever unlawfully
intercepts data not intended for him, for himself or another, by
technical means from a non-public data processing facility or
from the electromagnetic broadcast of a data processing facility,
commits a criminal offence pursuant to section 202b StGB.
Furthermore, section 202a StGB criminalises illegal data
espionage: Whosoever unlawfully obtains data for himself or
another that were not intended for him and were especially
protected against unauthorised access, if he has circumvented the
protection, commits a criminal offence pursuant to section 202a
StGB.
Section 202c StGB criminalises the preparation of illegal data
interception or illegal data espionage, as committed by the
production, procurement or distribution of hacker tools.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, an act of data interception pursuant to section 202b
StGB may be punished as a criminal offence with imprisonment
of not more than two years or a fine (section 202b StGB), and an
act of data espionage pursuant to section 202a StGB may be
punished as a criminal offence with imprisonment of not more
than three years or a fine (section 202a (1) StGB). Pursuant to
section 202c StGB, even acts preparatory to such data
interception or data espionage may be punished as a criminal
offence with imprisonment of not more than one year or a fine
(section 202c (1) StGB).
Fraud (in general)
general)
281
RAND Europe
National Profiles
Relevant law
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended by
law of 2 October 2009
Reference
http://bundesrecht.juris.de/stgb/
Main provisions in Section 263 StGB criminalises fraud in general: Whosoever with
relation to ID theft
the intent of obtaining for himself or a third person an unlawful
material benefit damages the property of another by causing or
maintaining an error by pretending false facts or by distorting or
suppressing true facts, commits an act of fraud.
Section 263 StGB requires that damage to somebody’s financial
position is caused by an act of deliberate deception – such as the
use of false names or titles, or any other type of deceptive
manipulation or abuse of good faith or credulity – committed
with the intent to obtain unlawful gain. This would apply to any
ID theft incidents involving the use of a falsified identity in order
to unlawfully appropriate someone else’s property.
Prescribed sanction
sanct ion
Apart from damages that the victim may receive in civil
proceedings, an act of fraud pursuant to section 263 StGB may
be punished as a criminal offence with imprisonment of not
more than five years or a fine (section 263 (1) StGB). In
especially serious cases the penalty shall be imprisonment from
six months to ten years (section 263 (3) StGB). Whosoever on a
commercial basis commits fraud as a member of a gang whose
purpose is the continued commission of fraud, shall be liable to
imprisonment from one to ten years, in less serious cases to
imprisonment from six months to five years (section 263 (5)
StGB).
Forgery with respect to identity (ie, falsifying identities on a document)
Relevant law
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended by
law of 2 October 2009
Reference
http://bundesrecht.juris.de/stgb/
Main provisions in Section 267 StGB criminalises forgery in general with respect to
relation to ID theft
a falsified document: Whosoever for the purpose of deception in
legal commerce produces a counterfeit document, falsifies a
genuine document or uses a counterfeit or a falsified document,
commits an act of forgery. This would apply to any ID theft
incidents involving the use of a falsified signature or falsified
information on such documents which are capable of providing
evidence in legal commerce.
282
RAND Europe
National Profiles
Furthermore, specific offences in relation to forgery are punished,
including particularly:
Prescribed sanction
•
Section 268 StGB criminalises forgery of technical
records;
•
Section 269 StGB criminalises forgery of data intended
to provide proof;
•
Section 270 StGB criminalises forgery in the context of
falsely influencing data processing operations;
•
Section 271 StGB criminalises deception causing wrong
entries in public records;
•
Section 273 StGB criminalises tampering with official
identity documents;
•
Section 274 StGB criminalises supression of documents,
technical records or legally relevant data;
•
Section 276 StGB criminalises acquisition of false official
identity documents.
Apart from damages that the victim may receive in civil
proceedings, an act of forgery pursuant to section 267 StGB may
be punished as a criminal offence with imprisonment of not
more than five years or a fine (section 267 (1) StGB). In
especially serious cases the penalty shall be imprisonment from
six months to ten years (section 267 (3) StGB). Whosoever on a
commercial basis commits forgery as a member of a gang whose
purpose is the continued commission of forgery, shall be liable to
imprisonment from one to ten years, in less serious cases to
imprisonment from six months to five years (section 267 (4)
StGB).
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended by
law of 2 October 2009
Reference
http://bundesrecht.juris.de/stgb/
Main provisions in Sections 202a, 202b, 303a and 303b StGB criminalise in
relation to ID theft
substance illegal access to data and interception and interference
of data and sabotage of computer systems, and so sections 202a,
202b, 303a and 303b StGB make up the core computer crimes.
Section 202c StGB criminalises the preparation of those
computer crimes, as committed by the production, procurement
283
RAND Europe
National Profiles
or distribution of hacker tools. Section 202c StGB is Germany’s
transposition of Article 6 of the Council of Europe’s Convention
on Cybercrime. Section 202c StGB names two classes of hacker
tools: (i) passwords or other security codes enabling access to
data, or (ii) software primarily designed for committing such an
offence. This is determined by the intended objective purpose.
Therefore, IT security tools that are commonly recognised are
not considered to be hacker tools, even if such tools can also be
used with bad intent. On the other hand, malware and exploits
are within the scope of section 202c StGB because their objective
purpose is harmful. In any case, section 202c StGB requires the
preparation act to be promotive for an intended computer crime
pursuant to sections 202a, 202b, 303a or 303b StGB.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, such a preparation act pursuant to section 202c
StGB may be punished as a criminal offence with imprisonment
of not more than one year or a fine (section 202c (1) StGB).
Furthermore, an act of data espionage pursuant to section 202a
StGB may be punished as a criminal offence with imprisonment
of not more than three years or a fine (section 202a (1) StGB), an
act of data interception pursuant to section 202b StGB may be
punished as a criminal offence with imprisonment of not more
than two years or a fine (section 202b StGB), an act of data
tempering pursuant to section 303a StGB may be punished as a
criminal offence with imprisonment of not more than two years
or a fine (section 303a (1) StGB), and an act of computer
sabotage pursuant to section 303b StGB may be punished as a
criminal offence with imprisonment of not more than three years
or a fine (section 303b (1) StGB), with imprisonment of not
more than five years or a fine if the sabotaged data processing
operation is of substantial importance for another’s business,
enterprise or a public authority (section 303b (2) StGB), and
with imprisonment from six months to ten years in especially
serious cases of such computer sabotage (section 303b (4) StGB).
Cybercrime – illegal data interference
Relevant law
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended by
law of 2 October 2009
Reference
http://bundesrecht.juris.de/stgb/
Main provisions in Section 202b StGB criminalises illegal data interception:
relation to ID theft
Whosoever unlawfully intercepts data not intended for him, for
himself or another, by technical means from a non-public data
284
RAND Europe
National Profiles
processing facility or from the electromagnetic broadcast of a data
processing facility, commits a criminal offence pursuant to
section 202b StGB. Section 303a StGB criminalises illegal data
tampering: Whosoever unlawfully deletes, suppresses, renders
unusable or alters data, commits a criminal offence pursuant to
303a StGB.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, an act of data interception pursuant to section 202b
StGB may be punished as a criminal offence with imprisonment
of not more than two years or a fine (section 202b StGB), and an
act of data tempering pursuant to section 303a StGB may be
punished as a criminal offence with imprisonment of not more
than two years or a fine (section 303a (1) StGB).
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended by
law of 2 October 2009
Reference
http://bundesrecht.juris.de/stgb/
Main provisions in Section 269 StGB criminalises forgery of data intended to
relation to ID theft
provide proof: Whosoever for the purposes of deception in legal
commerce stores or modifies data intended to provide proof in
such a way that a counterfeit or falsified document would be
created upon their retrieval, or uses data stored or modified in
such a manner, commits a criminal offence pursuant to section
269 StGB.
This would apply to ID theft incidents involving the use of
falsified identity information in an information system for the
purposes of deception in legal commerce.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, an act of data-related forgery pursuant to section
269 StGB may be punished as a criminal offence with
imprisonment of not more than five years or a fine (section 269
(1) StGB). In especially serious cases the penalty shall be
imprisonment from six months to ten years (sections 269 (3),
267 (3) StGB). Whosoever on a commercial basis commits datarelated forgery as a member of a gang whose purpose is the
continued commission of forgery, shall be liable to imprisonment
from one to ten years, in less serious cases to imprisonment from
six months to five years (sections 269 (3), 267 (4) StGB).
285
RAND Europe
National Profiles
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the
version promulgated on 13 November 1998, last amended by
law of 2 October 2009
Reference
http://bundesrecht.juris.de/stgb/
Main provisions in Section 263a StGB criminalises computer-related fraud:
relation to ID theft
Whosoever with the intent of obtaining for himself or a third
person an unlawful material benefit damages the property of
another by in uencing the result of a data processing operation
through incorrect configuration of a program, use of incorrect or
incomplete data, unauthorised use of data or other unauthorised
in uence on the course of the processing, commits a criminal
offence pursuant to section 263a StGB.
This would apply to incidents of ID theft aiming to unlawfully
appropriate someone else’s property by entering, changing,
altering or deleting information in an information system or
modifying the operation of an information system.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, an act of computer-related fraud pursuant to section
263a StGB may be punished as a criminal offence with
imprisonment of not more than five years or a fine (section 263a
(1) StGB). In especially serious cases the penalty shall be
imprisonment from six months to ten years (sections 263a (2),
263 (3) StGB). Whosoever on a commercial basis commits
computer-related fraud as a member of a gang whose purpose is
the continued commission of fraud, shall be liable to
imprisonment from one to ten years, in less serious cases to
imprisonment from six months to five years (sections 263a (2),
263 (5) StGB). Whosoever prepares computer-related fraud by
writing computer programs the purpose of which is to commit
such an act, or procures them for himself or another, offers them
for sale, or holds or supplies them to another, shall be liable to
imprisonment of not more than three years or a fine (section
263a (3) StGB).
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking
networking site
under someone else’s name)
Applicable law
Depending on the facts of the case, an act of claiming a false
identity on-line could involve in particular:
•
The violation of a right of a person to use one’s own name,
286
RAND Europe
National Profiles
if the interest of the person entitled to the name is injured
by the unauthorised use of the same name by another
person (section 12 BGB – Civil Code, Bürgerliches
Gesetzbuch;
Abbreviation:
BGB;
Reference:
http://bundesrecht.juris.de/bgb/);
Case law available?
•
The violation of data protection laws, if personal data of the
victim has been unlawfully processed to make the false
identity believable (eg, publication of the victim's name,
address, photo, etc.);
•
The violation of communication secrecy laws, if the false
profile results in messages being sent to the false profile
which were intended for the real recipient;
•
The criminal offence of forgery of data intended to provide
proof, if falsified identity information capable of providing
evidence has been used for the purposes of deception in
legal commerce;
•
The criminal offence of fraud, if damage to somebody’s
financial position is caused by an act of deliberate deception
– such as the use of a false identity – with the intent to
obtain unlawful gain; or, the criminal offence of computerrelated fraud, if this is caused by an act of deliberate
manipulation of the result of a data processing operation;
In civil proceedings, claimants have based their action against the
unauthorised use of their name by another person on the
infringement of their right to their own name pursuant to section
12 BGB. There is a string of well established cases where courts
have found that this right to one’s own name entitles to forbid
the unauthorised use of the same name by another person, in
particular if the use of the same name causes a likelihood of
confusion. This right to one’s own name may apply as well to the
use of company names, trade names, domain names, and even
abbreviation of names.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law
Depending on the facts of the case, an act of unlawfully using
another person’s credentials could involve in particular:
•
The violation of the data protection laws, if the credentials
have been unlawfully processed without permission;
•
The violation of communication secrecy laws concerning
the secrecy of electronic communication, if the credentials
287
RAND Europe
National Profiles
have been unlawfully obtained from someone else’s
electronic data interchange without permission;
Case law available?
a vailable?
•
The criminal offences related to illegal access to
information systems – including data espionage and
preparatory acts for an intended data espionage, if the
credentials – such as passwords or other security codes –
have been used to unlawfully enable access to data without
permission;
•
The criminal offence of fraud, if damage to somebody’s
financial position is caused by an act of deliberate deception
– such as the transmission of falsified messages – with the
intent to obtain unlawful gain; or, the criminal offence of
computer-related fraud, if this is caused by an act of
deliberate manipulation of the result of a data processing
operation.
In both civil and criminal proceedings concerning the
unauthorised use of unlawfully obtained data containing personal
identity information, courts have found that the unauthorised
use of such unlawfully obtained data for a transaction causing
damage to the victim’s financial position may constitute a
criminal offence of fraud or computer-related fraud.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law
Depending on the facts of the case, an act of ‘phishing’ could
involve in particular:
•
The violation of the data protection laws, if personal data
has been unlawfully processed without permission;
•
The violation of communication secrecy laws concerning
the secrecy of electronic communication, if personal data
has been unlawfully obtained from someone else’s
electronic data interchange without permission;
•
The criminal offence of forgery of data intended to provide
proof, if such ‘phishing emails’ or ‘phishing websites’ are
considered to contain data capable of providing evidence
which have been used for the purposes of deception in legal
commerce;
•
The criminal offence of data espionage;
•
The criminal offence of data tempering;
288
RAND Europe
Case law available?
National Profiles
•
The criminal offence of computer sabotage;
•
The criminal offence of fraud, if damage to somebody’s
financial position is caused by an act of deliberate deception
– such as the transmission of falsified messages – with the
intent to obtain unlawful gain; or, the criminal offence of
computer-related fraud, if this is caused by an act of
deliberate manipulation of the result of a data processing
operation.
In several cases, courts have found that the use of spyware civil
proceedings where victims sued for damages, courts have found
that the use of data obtained from ‘phishing’ for a transaction
causing damage to the victim’s financial position may constitute
a criminal offence of computer-related fraud, entitling the victim
to recover damages.
Using spyware to obtain identity information (eg,
(eg, installing a computer program
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law
Case law available?
Depending on the facts of the case, an act of using spyware in
order to obtain identity information could involve in particular:
•
The violation of the data protection laws, if personal data
has been unlawfully processed without permission;
•
The violation of communication secrecy laws concerning
the secrecy of electronic communication, if personal data
has been unlawfully obtained from someone else’s
electronic data interchange without permission;
•
The criminal offence of data espionage;
•
The criminal offence of data interception;
•
The criminal offence of data tempering;
•
The criminal offence of computer sabotage;
•
The criminal offence of acts preparatory to an intended
data espionage, data interception, data tempering or
computer sabotage, if such preparatory acts have been
committed by the production, procurement or distribution
of hacker tools – such as spyware.
Prevailing case law criminalises the act of using spyware itself as a
hacker tool preparatory to an intended data espionage, data
interception, data tempering or computer sabotage only if this
spyware has been objectively designed or adapted primarily for
289
RAND Europe
National Profiles
the purpose of committing an intended data espionage, data
interception, data tempering or computer sabotage.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases
databases of
email addresses to email marketeers)
Applicable law
Case law available?
Depending on the facts of the case, an act of ‘trafficking’ could
involve in particular:
•
The violation of the data protection laws, if personal data
has been unlawfully processed without permission;
•
The violation of communication secrecy laws concerning the
secrecy of electronic communication, if personal data has
been unlawfully obtained from someone else’s electronic
data interchange without permission.
In several cases, acts of illegal data trafficking have been punished
with administrative fines.
ID theft reporting mechanisms
There is no German language website yet to be found which is dedicated solely and
exclusively to ID theft where victims of ID theft could use an official reporting mechanism
in order to file their charges.
However, several websites focussing on Internet security and cybercrime in general offer
valuable advice and guidance for consumers who seek to protect themselves against ID
theft. Useful websites include:
•
http://www.bsi-fuer-buerger.de
•
http://www.datenschutz.de
•
http://www.bfdi.bund.de
•
http://www.sichere-identitaet.de
•
http://www.sicher-im-netz.de
Personal assessment of the framework for combating ID theft
In general, it seems that the legal framework for combating ID theft in Germany is
sufficiently comprehensive, as there do not appear to be any relevant cases of ID theft
incidents which may not be covered by the available laws at present.
In my view, in particular, the adoption and revision of specific data breach disclosure laws
that require firms to notify individuals when their personal information has been
290
RAND Europe
National Profiles
comprised can help to reduce ID theft risks – both by preventing ID theft and by reducing
the victim’s losses and damages. Data breach disclosure laws can be considered as a possible
remedy for ID theft. Their purpose is to help consumers to protect their personal
information by requiring that state agencies and businesses that keep consumers’ personal
information in a computerised data system to quickly disclose to consumers any breach of
the security of the system and to immediately notify a consumer whenever the consumer’s
personal information has been comprised by unauthorised disclosure – provided that the
information disclosed could be used to commit ID theft. Having being notified of a breach
of their personal information, consumers could then make informed decisions and take
appropriate actions to protect themselves against ID theft. For example, to mitigate the
risks, consumers can alert anyone who needs to be made aware of this incident – be it their
banks, their credit card merchants, host providers, website operators or law enforcement
bodies. The sooner consumers are notified of a breach of their personal information and
therefore able to detect ID theft risks, the sooner will they be able to take mitigating
actions to protect themselves against ID theft. Clearly, any notification is likely to be more
successful when the warning provides relevant information that will help the consumer to
make an informed decision. However, once notified, the responsibility still lies with the
individual to take appropriate actions. Once notified, consumers must themselves take
responsibility to respond to their own risk of ID theft and take appropriate actions to
protect themselves. The effectiveness of data breach disclosure laws relies on the actions
taken thereupon. Therefore, first and foremost, it is of importance to raise public
awareness of ID theft risks with consumers, businesses, state agencies and law enforcement
bodies.
In practice, it is not the law but law enforcement that needs to be strengthened in order to
enforce the protection against ID theft in the Internet. The Internet is not restricted by
territorial boundaries, it crosses all borders, and therefore the investigation of Internet
crimes and the enforcement of law must be enabled to cross those borders as well – and
this requires international cooperation.
291
RAND Europe
National Profiles
Greece
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Greece that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud, etc.).
No such legislation is currently under consideration to our knowledge. Instead, the policy
emphasis in Greece is more on improving awareness of ID theft risks with potential victims
and law enforcement bodies.
Any natural or legal person who is victim of identity theft can make use of the protection
offered by Articles 57 and 58 of the Greek Civil Code. Article 57 (Right to personality)
provides that any person who has suffered an unlawful infringement on his personality has
the right to claim the cessation of such infringement as also the non-recurrence thereof in
the future. A claim for compensation, according to the provisions about tort, is not
excluded. Similar is the provision of Article 58 (Right to name) which gives the right to
any person whose name has been questioned or is being unlawfully used by somebody else
to claim the cessation of the infringements and the non-recurrence thereof in the future. A
claim for compensation, according to the provisions about tort, is again not excluded.
According to Article 59 of the Greek Civil Code in the cases of Articles 57 and 58 the
Court can condemn the responsible to satisfy the non-pecuniary damages caused. If the
name in question is a trade name, then besides Article 58, it can be protected under Article
13 of law 146/1914 on unfair competition. Finally if the name serves also as a trademark,
then Articles 4, 18(3) and 26(1) of law 2239/1994 on trademarks, Article 1 of law
146/1914 on unfair competition, as well as Articles 914 and 919 of the Greek Civil Code
are applicable.
It should be noted that Greece has still not ratified the Council of Europe Convention on
Cybercrime nor has it transposed the EU Council Framework Decision 2005/222/JHA of
24 February 2005 on attacks against information systems into the Greek legal system.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Law 2472/1997 on the Protection of Individuals with regard to
the Processing of Personal Data (Νόµος 2472/1997 «Προστασία
του ατόµου από την επεξεργασία δεδοµένων προσωπικού
χαρακτήρα»)
Reference
Government Gazette (GG) Α’ 50/10.04.1997, available online
(with latest amendments of Law 3783/2009) at
292
RAND Europe
National Profiles
http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/LAW/NOM
OTHESIA%20PROSOPIKA%20DEDOMENA/2472_97_AP
R_10_FINAL.PDF; Unofficial translation in English of the
consolidated version of the law (state as of March 2008) is done
by the Hellenic DPA and is available online at
http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_I
NDEX/LEGAL%20FRAMEWORK/LAW%202472-97MARCH08-EN.PDF
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as it will
violate the conditions of processing (article 5), proportionality
obligations and the purpose restriction (article 4), transparency
obligations (articles 11), confidentiality and security obligations
(article 10) and formal obligations such as the notification to the
Greek Data Protection Authority (article 6).
Prescribed sanction
Apart from the damages that the victim may receive in civil
proceedings, the violations above can infer administrative
sanctions (article 21) of 880 to 150.000 EUR [300.000 to
50.000.000 drachmas (GRD)]127. The violations can also be
criminally sanctioned as detailed in article 22.
•
Violations of article 6 can be criminally sanctioned with
imprisonment128 up to 3 years and fines of 2.900 to
15.000 EUR [1.000.000 to 5.000.000 GRD].
•
Violations relating to unlawful interference with a
personal data file can be criminally sanctioned with
imprisonment up to 1 year and fines of 2.900 to 29.000
EUR [1.000.000 to 10.000.000 GRD].
•
If the aforementioned violation was purported to gain
unlawful financial benefit or to cause harm to a third
party, the perpetrator can be criminally sanctioned with
incarceration up to 10 years a fine of 5.900 to 29.000
EUR [2.000.000 to 10.000.000 GRD].
•
If the aforementioned acts have jeopardised the free
operation of democratic governance or national security,
then the sanction imposed shall be incarceration and a
fine amounting between 15.000 and 29.000 EUR
127
Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data refers to the
sanctions in Greek Drachmas (GRD). However the conversion to EUR is made based on the provisions of
Articles 3-5 of Law 2943/2001, GG A’ 203/12.09.2001
128
Ít is clarified that according to the Greek Penal Code: Custody (
Imprisonment (
) is between 10 days and 5 years; Incarceration (
unless explicitly mentioned that it is for life
293
) is between 1 day and 1 month;
) is between 5 years and 20 years,
RAND Europe
National Profiles
[5.000.000 and 10.000.000 GRD].
Communications secrecy laws
Relevant law
Law 3471/2006 ‘Protection of personal data and privacy in the
electronic telecommunications sector and amendment of law
2472/1997’129 (Νόµος υπ’ αριθ. 3471/2006 «Προστασία
δεδοµένων προσωπικού χαρακτήρα και της ιδιωτικής ζωής στον
τοµέα των ηλεκτρονικών επικοινωνιών και τροποποίηση του ν.
2472/1997»)
Reference
Government Gazette (GG) Α’133/28.06.2006, available online at
http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/LAW/NOMO
THESIA%20PROSOPIKA%20DEDOMENA/3471_2006.PDF;
Unofficial translation in English is done by the Hellenic DPA and
is available online at translation by the Hellenic DPA, available
online
at
http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_I
NDEX/LEGAL%20FRAMEWORK/LAW%203471-2006EN.PDF.
Main provisions in
Article 4(5) on Confidentiality states that ‘Electronic
relation to ID theft
communications networks may not be used to store information
or to gain access to information stored in the terminal equipment
of a subscriber or user, particularly with the use of spyware,
hidden identifiers or other similar devices. Exceptionally, any
technical storage or access is permitted, when its sole purpose is to
carry out or facilitate the conveyance of information through an
electronic communications network, or when strictly necessary for
the provision of information society services explicitly requested
by the user or subscriber […].’
The provision generally applies to the use of electronic
communications networks of all kinds in order to obtain
information stored in the terminal equipment of the subscriber or
the user and it would apply to any ID theft incidents requiring the
collection/abuse of such data.
129
Article 5(7) of Law 3471/2006 was recently amended by Article 8 of law 3783/2009 on the identification of
owners and users of mobile telephony equipment and services and other provisions, GG A’ 136/07.08.2009
( µ 3783/2009: π
π µ
π
). Article 5(7) of Law
3471/2006 was amended as follows: ‘The provider of electronic communications services available to the
public has to, to the degree that this is technically feasible and it is allowed by the present law, make possible
the payment of these services in an anonymous way or via pseudonym. In cases of questioning of the technical
feasibility of anonymous or pseudonymous payment of these services, the Hellenic Telecommunications &
Post Commission (EETT) gives its opinion’
294
RAND Europe
National Profiles
It is interesting to note that in Article 2(3) passwords are
mentioned as an example of traffic data. Therefore it is interesting
to take a closer look to the provisions relating to the protection of
traffic data in this law, the violation of which is also applicable in
the case of passwords:
Article 5 (Processing regulations) states that the processing of
traffic data is only allowed (a) when the user or subscriber has
provided consent upon notification as to the type of data, the aim
and extent of their processing and the recipient or categories of
recipients, or (b) the processing is necessary for the
implementation of the agreement to which the user or subscriber
is party, or to take measures, during the pre-agreement stage,
upon application by the subscriber. The provider of the public
communications network or of the publicly available electronic
communications service is neither allowed to use the data or to
transfer them to third parties for other purposes, unless when the
user or the subscriber has given his clear and explicit consent
(article 5(4)).
The calling line non-identification option can be cancelled only (a)
on a temporary basis, upon application of a subscriber requesting
the tracing of malicious or nuisance calls (article 8(7)(a)), or (b)
for emergency calls to the competent public authorities (article
8(7)(b)).
Article 15(1) of this Law additionally prohibits the unlawful use,
collection, storage, taking knowledge of, extraction, alteration,
destruction, transfer, disclosure, making accessible personal data
[including traffic or location data] or the making them available to
unauthorised persons or allowing such persons to take notice of
such data or exploitation of the data in any way whatsoever. If the
perpetrator purported to gain unlawful benefit on his behalf or on
behalf of another person or to cause harm to a third party (article
15(3)), then the crime is punished with stricter sanctions (see
below).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Anyone who unlawfully uses, collects, stores, takes
knowledge of, extracts, alters, destroys, transfers,
discloses, makes accessible personal data [including traffic
or location data] or makes them available to unauthorised
persons or allows such persons to take notice of such data
or exploits the data in any way whatsoever, can be
criminally sanctioned with imprisonment up to 1 year
295
RAND Europe
National Profiles
and a fine amounting between 10.000 and 100.000 EUR,
unless otherwise subject to more serious sanctions (article
15(1)).
•
Any data controller or representative thereof who does
not comply with the acts of the Data Protection
Authority imposing the administrative sanctions of
provisional licence revocation, of permanent licence
revocation, of file destruction or interruption of
processing and destruction of the pertinent data, can be
criminally sanctioned with imprisonment of at least 2
years and a fine amounting between 12.000 and 120.000
EUR (article 15(2)).
•
If the perpetrator of the aforementioned acts purported to
gain unlawful financial benefit on his behalf or on behalf
of another person or to cause harm to a third party
(article 15(3)), can be criminally sanctioned with
incarceration up to 10 years and with a fine of 15.000
and 150.000 EUR. If the aforementioned acts have
jeopardised the free operation of democratic governance
or national security, the perpetrator shall be punished
with incarceration and a criminal fine amounting
between 50.000 and 350.000 EUR.
Communications secrecy laws – Confidentiality of communications
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in Article 370 forbids the violation of the confidentiality of letters.
relation to ID theft
Article 370A was added in order to forbid the violation of the
confidentiality of telephone communication and oral
conversation. More specifically it forbids:
•
Unfair interception or otherwise intervention with a device,
connection or network for the provision of telephony
services or hardware or software used for the provision of
such services aiming at receiving himself or a third party
information or recording on physical means the content of
the telephone conversation between third parties or the
traffic or location data of such communication (article
370A(1)).
•
Unfair monitoring using special technical equipment or
recording on physical means the oral conversation between
296
RAND Europe
National Profiles
third parties or the recording on physical means a non public
action of someone else (article 370A(2)).
•
Using information or the physical means on which such
information has been recorded as described above (article
370A(3)).
The performance of the aforementioned actions by a telephony
service provider or its legal representative or member of its
management or its privacy assurance manager or employee or
partner, or person that performs private investigations or performs
such actions by profession or as habit or aimed at receiving fees for
them incurs stricter sanctions (article 370A(4)).
When the unfair interception of or intervention to a telephone
conversation, as described in article 370A(1) and the using of the
information or the physical means on which the information has
been recorded, as described in article 370A(3) entail the violation
of military or diplomatic secrecy or refer to secret relating to state
security or the safety of public utility establishments are punished
under articles 146 (with intent) and 147 (by negligence).
The aforementioned provisions would apply to any ID theft
incidents involving the recording of electronic communications.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 370A(1) can be criminally sanctioned
with incarceration up to 10 years. The same is the
sanction where the culprit records on physical means the
contents of a conversation between the culprit and
another person without the latter’s express consent.
•
Violations of article 370A(2) can be criminally sanctioned
with incarceration up to 10 years. The same is the
sanction where the culprit records on physical means the
contents of a conversation between the culprit and
another person without the latter’s express consent.
•
Violations of article 370A(3) can be criminally sanctioned
with incarceration up to 10 years.
•
Violations of article 370A(4) can be criminally sanctioned
with incarceration up to 10 years and a fine between
55.000 and up to 200.000 EUR.
•
Violations of article 146 can be criminally sanctioned
with incarceration up to 10 years.
•
Violations of article 147 can be criminally sanctioned
297
RAND Europe
National Profiles
with imprisonment up to 3 years.
Comments
Comment s
The confidentiality of communications is protected by article 19
of the Greek Constitution. Relevant are also the provisions of law
2225/1994 [Law 2225/1994 ‘For the protection of free reporting
and communication and other provisions, Government Gazette
Α΄ 121/20.07.1994 (Νόµος 2225/1994 «Για την προστασία της
ελευθερίας της ανταπόκρισης και επικοινωνίας και άλλες
διατάξεις»], the provisions of law 3115/2003 [Law 3115/2003
‘Authority for the Assurance of Information and Communication
Privacy and Security’, Government Gazette Α΄47/27.02.2003
(Νόµος 3115/2004 «Αρχή διασφάλισης του απορρήτου των
επικοινωνιών»)] and Presidential Decree Nr. 47/2005
‘Procedures and technical and organisational safeguards for the
withdrawal of confidentiality of communications and its
assurance’, [Government Gazette Α΄64/10.03.2005 (Προεδρικό
διάταγµα 47/2005 «∆ιαδικασίες καθώς και τεχνικές και
οργανωτικές εγγυήσεις για την άρση του απορρήτου των
επικοινωνιών και για τη διασφάλισή του»130). Relevant are also
the provisions of recent law 3674/2008 [Law 3674/2008
‘Amplification of the institutional framework for the assurance of
the secrecy of telephony communication and other provisions,
Government Gazette A’136/10.07.2008 (Νόµος 3674/2008
«Ενίσχυση του θεσµικού πλαισίου διασφάλισης του απορρήτου
της τηλεφωνικής επικοινωνίας και άλλες διατάξεις»)]. Articles
248-250 of the Greek Penal Code punish the violation of the
secrecy of communications by post and telecommunications
employees.
Fraud
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in Fraud in general is punished by Article 386 of the Penal Code.
relation to ID theft
This article sanctions whoever with the purpose of securing
himself or a third party a financial benefit impairs foreign
property by persuading someone to commit an act or to refrain
from committing an act or to tolerate an act through the
intentional misrepresentation of facts as true or through the
concealment of the true facts.
130
Available online in Greek at http://www.adae.gr/portal/fileadmin/docs/nomoi/PD47.2005.pdf
298
RAND Europe
National Profiles
Prescribed sanction
Violations of article 386 can be criminally sanctioned with
imprisonment of at least 3 months. If the damage caused is
particularly big, is sanctioned with imprisonment of at least 2
years.
Other relevant
provisions
Article 1 of Law 1608/1950 (GG A’310/28.12.1950) foresees that
when the fraud (Article 386 P.C.) is turned against the State or
Public Entity (legal entity of public law) or any other legal entity
mentioned explicitly in Article 263A P.C. and the benefit gained
or wished to gain by the culprit or the damage caused or definitely
threatened is over 15.000 EUR, then the culprit is sentences with
incarceration and there are special aggravating circumstances or
the object is of especially high value, they can be sentences for life.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in Forgery is punished by Article 216 and following of the Penal
relation to ID theft
Code, including particularly:
•
Art. 216(1): forgery or falsification of a document in
order to mislead any other person by using it with regard
to event that can have legal consequences.
•
Art. 216(1): the use of the document by the person who
forged or falsified it is considered as aggravating
circumstance.
•
Art. 216(2): the use of a forged or falsified document
with full knowledge in order to mislead any other person
with regard to event that can have legal consequences.
•
Art. 216(3)(a): if the culprit (of 216(1) or (2)) intended
to yield himself or somebody else of financial benefit by
harming a third person or intended to harm another
person, if the total benefit or the total damage is over
73.000 EUR, the sanctions are stricter.
•
Art. 216(3)(b): if the culprit conducts forgeries as a
profession or repeatedly and the total benefit or the total
damage is over 15.000 EUR, the sanctions are stricter.
•
Art. 217(1): the forgery, falsification of certificate, proof
or other document with the aim to facilitate his direct
well being, movement or the social progress or himself or
another person
299
RAND Europe
National Profiles
•
Art. 217(1): the with full knowledge use of such
aforementioned forged or falsified document.
•
Art. 217(2): the use of a genuine document for the
purposes mentioned in 217(1), which is however issued
for another person.
Article 243 foresees a crime that can be relevant to identity theft:
the crime of omission of identity verification. An employee who is
responsible for the issuing or the drafting of public documents, is
punished with imprisonment of at least 3 months, if, during the
issuing or the drafting of such a document, he fails to verify the
identity of the person that is mentioned in the document in the
way and under the conditions prescribed in the law.
Relevant is also the provision of Article 242 which related to an
employee who is responsible for the issuing or the drafting of
specific public documents. If he intentionally certified a false
incident that can have legal consequences, he can be punished
with imprisonment of at least 1 year.
Prescribed sanction
Other relevant
provisions
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 216(1) can be criminally sanctioned
with imprisonment of at least 3 months.
•
Violations of article 216(2) can be criminally sanctioned
with imprisonment of at least 3 months.
•
Violations of article 216(3)(a) can be criminally
sanctioned with incarceration of at least 10 years, if the
total benefit or the total damage is over 73.000 EUR.
•
Violations of article 216(3)(b) can be criminally
sanctioned with incarceration of at least 10 years.
•
Violations of article 217(1) can be criminally sanctioned
with imprisonment of up to 1 year or with financial fine.
•
Violations of article 217(2) can be criminally sanctioned
with imprisonment of up to 1 year or with financial fine.
Article 22(1) of law 1599/1986 (GG A’ 75/11.06.1986) punishes
the forgery or falsification of an identity card, pursuant to the
provisions of Art 216(1) P.C. (ie, imprisonment of at least 3
months). The same paragraph punishes the with full knowledge
use of forged or falsified identity card (imprisonment of at least 3
months). Article 22(2) of law 1599/1986 punishes the use of an
identity card for the proving of data contained in it knowing that
it has been modified (imprisonment of at least 3 months).
300
RAND Europe
National Profiles
Article 1 of Law 1608/1950 (GG A’310/28.12.1950) foresees that
when the forgery or falsification (Article 216 P.C.) is turned
against the State or Public Entity (legal entity of public law) or
any other legal entity mentioned explicitly in Article 263A P.C.
and the benefit gained or wished to gain by the culprit or the
damage caused or definitely threatened is over 15.000 EUR, then
the culprit is sentences with incarceration and there are special
aggravating circumstances or the object is of especially high value,
they can be sentences for life.
Article 54(7) of Law 2910/2001 (GG A’ 91/02.05.2001) states
that whoever unlawfully has in his position or uses a genuine
passport or another travel document of another person is punished
with imprisonment of at least 3 months and a fine of at least
1.500 EUR. The same is the sanction for any person who has in
his possession or makes use of forged passport or other travel
document. Article 54(8) of Law 2910/2001 punished the
responsible of a travel agency or immigration or anybody else that
submits on behalf of a third party supporting documents for the
issuing of a travel document with data that do not correspond to
the identity of the person, is punished with imprisonment of at
least 3 months and fine of 3.000 EUR. The same is the sentence
for the person on behalf of which the documents are submitted.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in The Greek Penal law contains two provisions that relate to
relation to ID theft
hacking: Article 370C(2)131 and Article 370B, which punishes the
violation of secret computer elements or software.
Article 370C(2) punishes the unauthorised access to computer
data.
•
More specifically Article 370C(2) punishes whoever
gains access to elements, introduced to a computer or to
a computer’s peripheral memory or transmitted through
telecommunications systems, provided that these actions
have taken place without right, in particular by
contravening restrictions or security measures that the
131
Paragraph 1 of Article 370C deals with the unauthorised copying or use of computer software, while
paragraphs 2 and 3 deal with the unauthorised access to computer data
301
RAND Europe
National Profiles
lawful holder had taken.
•
If the action described in Article 370C(2) refers to the
international relations or the security of the State, it is
punished according to Article 148 on espionage.
Article 370C(3) clarifies that if the perpetrator is in the service of
the legal holder of the elements, the action described in Article
370C(2) is only punishable, if it is explicitly forbidden in the
internal regulation or in a written decision of the owner or
authorised personnel.
Article 370C(2), to the extent that it refers to elements
transmitted through telecommunications systems, covers also
electronic mail, teletext and videotext.
Committing an illegal access to information systems with the
intent of committing another crime would attract the heavier
sentence augmented depending on the circumstances (articles 9498 P.C.).
Article 370B punishes the violation of secret computer elements
or software.
•
More specifically Article 370B(1) punishes whoever
unlawfully copies, depicts, uses, discloses to another or in
any case breaches computer elements or software, which
constitute state, scientific or professional secrets or
business secrets of the public or the private sector. As
secrets are also considered those, that the legal holder
thereof treats as such, based on a justified interest, in
particular if he has taken measures to prevent third
parties from knowing about them.
•
Article 370B(2): If the perpetrator is in the service of the
holder of the elements and if the secret is of particularly
high financial value, the action is punished in a stricter
way.
•
Article 370B(3): If the secret is military or diplomatic
one or refers to secret relating to state security it is
punished under articles 146 (with intent) and 147 (by
negligence).
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system.
Prescribed sanction
•
Violations of 370C(2) can be criminally sanctioned with
imprisonment or up to 3 months or with fine of at least
29 EUR (to 15.000 EUR).
302
RAND Europe
National Profiles
•
Violations of 370C(2) that refer to the international
relations or the security of the State can be criminally
sanctioned with imprisonment of at least one year.
•
Violations of 370B(1) can be criminally sanctioned with
imprisonment of at least three months
•
Violations of 370B(2) can be criminally sanctioned with
imprisonment of at least one year.
•
Violations of article 146 can be criminally sanctioned
with incarceration up to 10 years.
•
Violations of article 147 can be criminally sanctioned
with imprisonment up to 3 years.
Cybercrime – illegal data interference
Relevant
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in Article 370C(2) can also be used for cases of illegal data
relation to ID theft
interference (see above ‘Cybercrime - illegal access to information
systems (hacking)’). The analysis re. Article 370C(2) applies here
mutatis mutandis. To the extent that the perpetrator has the
intent to obtain unlawful material benefit via the data
interference, Article 386A (fraud with a computer) is applicable,
as described in detail below under ‘Cybercrime – computerrelated fraud’.
Illegal data interference, such as the deployment of malicious
code, can also be punished under Article 381 on property
damage (impairment of property).
•
Article 381 punishes whoever intentionally destroys or
harms foreign (wholly or partly) object or in any other
way renders its use impossible.
Illegal interference with data that qualify as documents (Article
13c P.C.) can also be protected under Article 222, which
punishes whoever, with the intent to harm another person,
conceals, damages or destroys a document, of which he is not the
owner or the sole owner or on which somebody else has a legal
rights to ask for its delivery or its demonstration, according to
civil law provisions.
However interference with data that can not be protected under
the data protection legislation or do not qualify as documents can
303
RAND Europe
National Profiles
still remain unpunished.
Prescribed sanction
•
Violations of Article 381 can be criminally sanctioned
with fines imprisonment of up to 2 years.
•
Violations of Article 222 can be criminally sanctioned
with fines imprisonment of up to 2 years.
Cybercrime – computercomputer-related forgery
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in Forgery is punished by Article 216 and following of the Penal
relation to ID theft
Code, as described above (see section ‘Forgery with respect to
identity’). The provisions of Article 216 punish the following
acts:
•
Art. 216(1): forgery or falsification of document in order
to mislead any other person by using it with regard to
event that can have legal consequences.
•
Art. 216(1): the use of the document by the person who
forged or falsified it is considered as aggravating
circumstance.
•
Art. 216(2): the use of a forged or falsified document
with full knowledge in order to mislead any other person
with regard to event that can have legal consequences.
•
Art. 216(3)(a): if the culprit (of 216(1) or (2)) intended
to yield himself or somebody else of financial benefit by
harming a third person or intended to harm another
person, if the total benefit or the total damage is over
73.000 EUR, the sanctions are stricter.
•
Art. 216(3)(b): if the culprit conducts forgeries as a
profession or repeatedly and the total benefit or the total
damage is over 15.000 EUR, the sanctions are stricter.
Article 216 P.C. covers also computer-related forgery. The
broadening of the definition of ‘document’ in Article 13(c)
P.C.132, allows the use of Article 216 as the basis for computerrelated forgery. More Article 216 was broadened as follows: ‘[…]
Document is also any means which is used by a computer or a
computer’s peripheral memory, in electronic, magnetic or other
132
The amendment was introduced with Article 2 of law 1805/1988 (GG A’ 199/31.08.1988)
304
RAND Europe
National Profiles
way, for the recording, storing, producing or reproducing
elements, which can not be read directly, as well as any magnetic,
electronic or other material on which any information is
recorded, or picture, symbol or sound, individually or in
combination thereof, provided these means and materials are
destined or are appropriate to prove facts that have a significance
in law.’
So Article 216 covers all kinds of ‘electronic documents’, such as
CDs, magnetic tapes, cassettes, etc. For the application of Article
216 it is not important the way of ‘writing’ of the forged
documents, if this was done by hand, typewriter, personal
computer or any other means.
Prescribed sanction
As already mentioned under section ‘Forgery with respect to
identity’, the following sanctions relate with Article 216:
•
Violations of article 216(1) can be criminally sanctioned
with imprisonment of at least 3 months.
•
Violations of article 216(2) can be criminally sanctioned
with imprisonment of at least 3 months.
•
Violations of article 216(3)(a) can be criminally
sanctioned with incarceration of at least 10 years, if the
total benefit or the total damage is over 73.000 EUR.
•
Violations of article 216(3)(b) can be criminally
sanctioned with incarceration of at least 10 years.
305
RAND Europe
National Profiles
Cybercrime – computercomputer-related fraud
Relevant law
Penal Code (Ποινικός Κώδικας)
Reference
Presidential Decree 283/1985, GG A’ 106/31.05.1985, as
modified.
Main provisions in
Article 386A punishes fraud with a computer. More specifically
relation to ID theft
Article 386A punishes whoever, with the intent of obtaining for
himself or for a third person an unlawful material benefit,
damages the assets of another, by affecting the elements of a
computer either through incorrect configuration of a program or
interference in the operation of a program or use of incorrect or
incomplete data or in any other way.
Under article 187 the perpetrator who establishes a group of
three or more persons with the intention of committing more
than one offence, among which the offence of 386A (fraud with a
computer) shall be punished with imprisonment of up to 10
years.
This would apply to, for example, any ID theft incidents
involving the modification of information systems in order to
obtain usernames/passwords (eg, phishing) with the intent to
gain material benefit.
The Supreme Court (Άρειος Πάγος) in its decision 1277/1998
clarified that Article 386 A (Fraud with a computer) is a
‘different crime’ to the one of Article 386 (Fraud).
Prescribed sanction
Violations of article 386A can be criminally sanctioned with
imprisonment of at least 3 months. If the damage caused is
particularly big, is sanctioned with imprisonment of at least 2
years.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s
else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
photo, etc.);
- violation of communication secrecy laws, if the false profile
results in messages being sent to the false profile which were
intended for the real recipient;
- forgery and/or computer-related forgery, if the forgery changed
306
RAND Europe
National Profiles
the legal impact of the information;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property.
Case law available?
The Thessaloniki One Member Court of First Instance
(Μονοµελές Πρωτοδικείο Θεσσαλονίκης) in the context of an
injunction application recently dealt with a case relating to the
posting on Facebook of data without the permission or the
consent of the person concerned (Decision 16790/2009). The
defendant created a Facebook account under a fake name and
posted defamatory information about and documents of the
plaintiff. This act was considered as unlawful processing of
personal data and violation of the personality of the defendant.
The decision is published at Law Journal Media and
Communication Law (∆ΙΜΕΕ 2009/400). However it should be
noted that the decision on the case is not final yet.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if use of the
credentials can be qualified as unlawful access to data related to
electronic communication (eg, to make bank transfers);
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation.
Case law available?
Several cases are known, specifically in relation to using a third
party’s stolen credit/debit card. The Greek Courts have treated in
different ways the use of credit/debit cards. The Athens Court of
Appeals (Εφετείο Αθηνών) in its decision 1904/1991 considered
the use of a cashcard and its secret code as theft, without even
considering the crime of fraud with a computer (386A P.C.).
The Military Court of Athens (∆ιαρκές Στρατοδικείο Αθηνών)
(2897/1994) also considered this action as theft. However the
Piraeus (Ναυτοδικείο Πειραιώς) in its decision 418/1996
considered the use of the bank card of another person as fraud
with a computer, constituting the crime of 386A P.C.
307
RAND Europe
National Profiles
The Three Member Criminal Court of Athens (Τριµελές
Πληµµελειοδικείο Αθηνών) ruled in its decision 3668/2006 that
the two defendants that had intervened into the computer system
of a bank and transferred an amount of money from the bank
account of a foreign citizen to their bank account were to be
impeached for the offences of Fraud with a computer (Article
386A P.C.) and for violations of the data protection law.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information
information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal data interference, if the act of phishing involved entering,
changing or deleting information in an information system
without authorisation (eg, in order to falsify a website).
Case law available?
No known case law.
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
Applicable law(s)
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- illegal access to information systems, since installing the
308
RAND Europe
National Profiles
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
Case law available?
The Supreme Court (Άρειος Πάγος) in its decision 243/2009
dealt in the context of decision on the extradition of person to
the U.S. with an interesting case. The defendant was member of
a multinational Internet criminal business of dealing with stolen
credit card numbers and other personal identification codes
(among which passwords) via the Internet. More specifically the
defendant was intercepting, via a computer and in a way the
details of which were technically unknown, during the
transactions of others on the Internet their credit card numbers,
codes and the details of their identity cards. He was then selling
them for a fee to third parties via the Internet. The Court
expressed the thought that when a computer is used as the
medium for the deception of third parties, while no intervention
on the configuration of the program or its application takes
place, then the crime committed is Fraud (386 P.C.) and not
Fraud with a computer (386A P.C.).
Using falsified identity documents (identity cards, social security cards or passports)
passports)
to unlawfully apply for social benefits
Applicable law(s)
The act of using falsified identity documents to unlawfully apply
for social benefits would likely be:
- a violation of data protection laws, since the stolen information
enabling to apply for social benefits are likely to be considered
personal data which are being unlawfully processed;
- forgeries related to identity documents, frauds related to
incomplete or false statement in order to obtain social benefits,
fraudulent procurement of false official certification and possibly
a fraudulent public use of a third party's name;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system.
Case law available?
In decision 887/2008, the Supreme Court (
) ruled in a
case in which a citizen managed to deceive the authorities with
regard to her date of birth in order to receive pension from the
Social Insurance Institute ( µ
– ) under the
early retirement status.
309
RAND Europe
National Profiles
The District Court of Amarousion (
) in its recent
decision 1015/2010 dealt with the issue of identity theft relating
it to the protection of personal data. By using the identity card of
another person, someone managed to conclude a contract with a
mobile telephony operator. According to the Court Decision, the
conclusion of the contract for mobile telephony services by a
person that was not the owner of the identity data submitted
raises liability issues of the mobile telephony provider who
accepted the data without verifying the signature on the identity
card with the one put on the contract. Although this is a
preliminary ruling in which the court request additional
evidences, it is the first time that the legal framework on data
protection in electronic communications is accepted in identity
theft cases. More specifically the court makes reference to both
the Greek data protection law (2472/1997) and the Law
3471/2006 on the protection of personal data and privacy in the
electronic telecommunications sector.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email
email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
- a violation of communication secrecy laws, if the personal
information contained data related to electronic communication
(like email addresses, IP addresses, etc.).
Case law available?
In 2003 the Supreme Court (Άρειος Πάγος) in decision
121/2003 dealt with a case in which perpetrators, acting together
and with common intent, copied onto diskettes the list of clients
from the victim’s computer with the intention of using the
clientele in a competitive travel agency that the perpetrators
established following the departure of one of the perpetrators.
The Supreme Court held that an offence was committed under
Article 370B P.C. (violation of secret computer elements or
software).
ID theft reporting mechanisms
Saferinternet.gr (& SafeLine)
310
RAND Europe
National Profiles
Saferinternet.gr (www.saferinternet.gr) is the awareness-raising and information website of
the Greek Awareness Centre. It is an awareness raising initiative for safer Internet under
the auspices of the Hellenic Ministry of Economy and Finance/Special Secretariat of
information society in cooperation with various private and public market players.
Saferinternet.gr serves as an information portal for the reporting of Internet-based crimes,
but
focuses
also
among
others
on
identity
theft
(http://www.saferinternet.gr/index.php?objId=Category27&parentobjId=Page2). For the
reporting of violations (including identity theft incidents) Saferinternet.gr makes use of the
hotline SafeLine (http://www.safeline.gr/), which is one the further axes of Saferinternet.gr.
Although SafeLine focuses mainly on illegal Internet content, it is also used as the
reporting mechanism for any Internet-based crime, including identity theft.
Most of the information on Saferinternet.gr is only available in Greek, with only general
information in English. However SafeLine is available both in Greek and in English.
SafeLine acts in practice as a single contact point, through which Internet-based crime
incidents (eg, phishing) can be reported.
Citizens are given four possibilities for reporting a crime: (a) On-line by filling in an online reporting form (available at http://www.safeline.gr/report/index.php); (b) by post; (c)
by email sent to [email protected] or (d) by phone. A hotline is available on working days
between 9:00 to 16:00. The On-line reporting be realised via standardised forms, with
interfaces being available both in Greek and English. Anonymous reports are possible; only
the source where the crime was observed is mandatory (a URL, newsgroup and Message
ID, file link for P2P networks, …). The citizen is also required to define the broad
category to which the crime belongs (personal data violation, communication privacy
breach, Internet fraud, …). SafeLine recently installed a new service, which allows the
reporting of cases via the sending of a simple to 54260.
All reports submitted via the site are forwarded to the Greek Police, regardless of the
originating country of the reported content. More specifically, SafeLine works in close
cooperation
with
the
Computer
Crime
Unit
(CCU,
http://www.astynomia.gr/index.php?option=ozo_content&perform=view&id=1763&Item
id=378&lang), which is responsible for the investigation of Internet-related crime. If the
reported content originates from abroad, SafeLine forwards also the report to a hotline in
the country of origin (if one exists).
ADAE
ADAE (www.adae.gr) is the Hellenic Authority for the Information and Communication
Security and Privacy and is an independent administrative authority. Its goal is to protect
the secrecy of mailing, the free correspondence or communication in any possible way as
well as the security of networks and information. ADAE is responsible for several ID theft
crimes, such as in the cases of email interception, illegal access to mail server for the
interception of emails etc. Citizens can file a complaint at ADAE by post, by fax, or in
person at the premises of ADAE every day between 10.00 and 12.00. They can also file a
complaint online via a standardised form, which is only available in Greek.
311
RAND Europe
National Profiles
DPA
When ID theft relates the processing of personal data, the citizen can file a complaint with
the Greek Data Protection Authority (www.dpa.gr). The citizen can fill in the Word form,
which
is
available
for
download
at
http://www.dpa.gr/pls/portal/url/ITEM/43E2FA7E94C3AE2FE040A8C07D245B6F
(only in Greek), and has to send it to the DPA by post, fax, email or bring it in person
every day between 9.00 and 13.00.
Other sites
Apart from SafeLine (part of Saferinternet.gr), and the possibility to file a complaint with
ADAE or the Greek DPA, several other sites play a mainly informative role with respect to
ID theft, including notably:
d.a.r.t. (Digital Awareness and Response to Threats, www.dart.gov.gr) is a group that aims
at the information of the citizens, the prevention and the dealing with dangers that relate
with the information and electronic communications technologies. d.a.r.t has a dedicated
page on spam and phishing, as well as on viruses/worms/Trojans/spyware and on
‘electronic’ fraud. The information is available in Greek.
The special secretariat of information society created the website: http://www.1020.gr/,
which is part of the Digital Greece project (http://www.psifiakiellada.gr/). On the website
there is a lot of information on the protection of Internet users and the secure use of the
Internet. However it seems that this website has stopped being updated.
The Hellenic Bank Association has set the protection of the citizens as one of its main
priorities. Therefore most Greek banks provide significant information to the citizens on
how they can protect themselves from identity theft (among other cases), focusing
especially on phishing. Emporiki Bank for instance provides a link to the Anti-Phishing
Working Group (www.antiphishing.org), which is available in English.
Personal assessment of the framework for combating ID theft
Greece has still not ratified the Council of Europe Convention on Cybercrime (185).
Similarly it has not transposed the EU Council Framework Decision 2005/222/JHA of 24
February 2005 on attacks against information systems into the Greek legal system.
However the aforementioned analysis shows that most of the ID theft cases can be covered
under the current legislation.
Especially crimes that relate to a computer are punishable in the Greek Penal Code,
offering sufficient legal protection. However the wording of Articles 370C(2) and 386A is
not broad enough to cover all kinds of crimes relating to the integrity of computers and
data. Therefore the broadening of the scope of Article 370C(2) and maybe also the
decoupling of fraud with a computer (386A) from the crime of fraud (386) will be enough
for offering a solution to this problem. With regard to data interference, a new provision
punishing any kind of data interference will offer protection to cases that may remain now
312
RAND Europe
National Profiles
uncovered by the existing legal provisions; especially when the data do not qualify as
personal data or as document.
The use of SafeLine as the primary portal for reporting ID theft incidents cannot be
considered as sufficient, as actually SafeLine aims at the protection of citizens and mainly
minors against illegal and harmful content. The expansion of the activities of SafeLine in
practice and their good cooperation with the police authorities has significantly
contributed to the protection of victims of ID theft.
The investigation of incidents remains complicated in practice, especially in cross border
cases. Even when clear evidence of an ID theft incident can be found (eg, a fake profile on
a social networking website through which false information is being spread), it can often
prove difficult to convince the website operators to take the offending information off-line,
and even harder to obtain information from the operator that would make it possible for
local judicial authorities to investigate the crime further (eg, IP addresses or mail addresses
used by the offender). In practice, this appears to be the main challenge to combating ID
theft incidents.
313
RAND Europe
National Profiles
Hungary
Applicable laws
Laws focusing explicitly on ID theft
ID theft is not a specific crime under Hungarian legislation. While some elements related
to identity theft, such as personal data abuse, illegal access to computer systems or
communications networks are covered by specific acts, these behaviours are punishable
under the Criminal Code as well as fraud and forgery.
The preparation of the bill on IT Security was finished in 2009133. The bill gives the
definition of ID theft and botnet, and if it will be enacted timely these crimes should be
sanctioned by the (amended version of the) Criminal Code from January 1, 2011.
Other laws that may apply to ID theft incidents
The amendment of the Criminal Code coming into force on August 9, 2009 has changed
Article 177 and 300 related to criminal misuse of personal data and computer-related
crimes, and therefore any person who is engaged in the unauthorized and inappropriate
processing of personal data shall be punished134.
The new Civil Code (the Act CXX. of 2009), in the event of privacy violations, such as the
right of personal data protection, introduces the eligibility for an offence prize in the
system of sanctions. The judgement of an offence prize can be requested from the court
without the loss or damage being demonstrated (this applies to privacy rights violations
that occurred after May 1, 2010).
Data protection laws
Relevant law
Act LXIII of 1992 on the Protection of Personal Data and the
Disclosure of Information of Public Interest (1992. évi LXIII.
törvény a személyes adatok védelméről és a közérdekű adatok
nyilvánosságáról – Avtv).
Avtv
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=99200063.
133
The author, as the then head of department of the former Ministry of Informatics and Communications
initiated it in 2005
134
Earlier the person who had been engaged in the unauthorized and inappropriate processing of personal data
had only been punishable, if an act caused significant injury of interests – and this fact was very difficult to
prove
314
RAND Europe
National Profiles
TV (the always operative version)
or in English
http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/nati
onal/1992_LXIII
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as it will
violate legitimacy requirements (article 3), proportionality
obligations and the purpose restriction (article 5), transparency
obligations (article 6), fair and lawful procession (article 7),
security obligations (article 10) and formal obligations such as the
prior notification to the Data Protection Commissioner (article
28).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings according to Act IV of 1978 on the Criminal Code
the violations of privacy may be sanctioned according to the
following provisions135:
Article 177 (1): any person who reveals any private secret he/she
has obtained in a professional or official capacity without due
cause is guilty of a misdemeanour punishable with a fine; (2): the
punishment shall be imprisonment for up to one year,
community service work, or a fine, if the crime results in a
significant injury of interest.
In case of Misuse of Personal Data:
Article 177/A
(1) Any person who, for unlawful financial gain or advantage or
who imposes significant injury to the interests of another person
or persons in violation of the statutory provisions governing the
protection and processing of personal data:
a) is engaged in the unauthorized and inappropriate processing of
personal data;
135
In case of infringement of his rights the data subject, or the person specified in paragraph (4) of Article
16/A, of Avtv may institute civil court proceedings against the data controller. The court shall hear the case out
of turn (article 17). The data controller shall be liable for any damage suffered by data subjects as a result of an
unlawful processing of their data or as a result of an infringement of the technical requirements of data
protection. The data controller shall also be liable for any damage suffered by the data subject resulting from
the actions of a technical data processor (article 18)
315
RAND Europe
National Profiles
b) fails to take measures to ensure the security of data;
is guilty of a misdemeanour punishable by imprisonment for up
to one year, community service, or a fine136.
Communications secrecy laws – existence and technical
technical aspects of electronic
communication
Relevant law
Act C of 2003 on electronic communications (2003. évi C. törvény
az elektronikus hírközlésről - Eht.).
Eht.
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=A0300100.T
V (the applicable version)
or in English
http://www.nhh.hu/dokumentum.php?cid=10617
Main provisions in The relevant rules concerning security and ID theft are the
relation to ID theft
followings:
Article 68 (3): in the course of its market surveillance activities the
National Communications Authority may apply sanctions in the
following cases of infringements:
a) non-compliance with electronic communications regulations,
notifications of service providers, standard contract conditions;
d) failure to comply with any notification requirement;
e) failure to comply or inadequate compliance with disclosure
obligations137.
136
Furthermore: (2) Any person shall be punished according to paragraph 1, who does not satisfy her/his
obligation of information, violating the statutory provisions governing the protection and processing of
personal data and with thus significantly hurts the interests of somebody else or others; (3) The misdemeanour
punishable with imprisonment for up to two years, community service work, or a fine, if the misuse of personal
data is committed with special personal data; (4) The punishment for felony shall be imprisonment for up to
three years if it is committed by a public official or in the course of discharging a public duty
137
Article 74(1) sets forth that any natural or legal or unincorporated organization shall be entitled to operate
in the Republic of Hungary an electronic communications network and to provide services through an
electronic communications network subject to compliance with the conditions laid down in this Act and in
specific other legislation. According to Article 76(1) providers of electronic communications services shall
notify the Authority for the purpose of registration of their intention to provide electronic communications
services, indicating the proposed date of commencement. Article 80(3) about the electronic communications
equipment prescribes that the radio equipment or electronic communications terminal equipment shall be so
constructed so that: it incorporates safeguards to ensure that the personal data and privacy of the user and of
the subscriber are protected; it supports certain features ensuring avoidance of fraud; and the conformity shall
be certified (paragraph 4). Article 83 paragraph (1) requires that providers of electronic communications
services, within the framework of cooperation relating to the operation of public electronic communications
316
RAND Europe
National Profiles
Articles 154-156: about the protection of personal data by service
providers, regulating their rights and obligations:
Article 155.1: service providers shall take appropriate technical and
organizational measures - jointly with other service providers if
necessary - in order to block any unauthorized attempt to
intercept, store or monitor communications transmitted and any
related traffic data and to prevent any unauthorized or accidental
access to communications transmitted and any related traffic data
(privacy of communications).
Article 156.1: service providers shall take appropriate technical and
organizational measures - jointly with other service providers if
necessary - in order to safeguard security of their services.
Article 156.3: in case of a particular risk of a breach of the security
of services in spite of the technical and organizational measures
taken, the service provider must inform the subscribers concerning
such risk and the measures the subscribers may take to enhance the
level of protection138.
Prescribed sanction
The infringements of the communications secrecy may be
sanctioned by articles 5 and 80-84 of the Civil Code (latter articles
of Act IV of 1959 are superseded in May 2010).
Article 33 of the Eht. prescribes the penalties assessed by the
National Communications Authority. According to paragraph 2
the maximum amount of the penalty is set at (according to the
relevant case):
a) 0.25 per cent of the perpetrator's revenues; or
b) five times the net purchase price of any electronic
communications equipment that was placed on the market
illegally.
(3) The Authority - in the cases not mentioned immediately above
- may impose a penalty of 0.05 per cent of the revenues, or
minimum 100,000 forints139 (about 380 EUR).
networks and the interconnection of and access to these networks shall ensure the safety of public electronic
communications networks by the protection against unauthorized access
138
It should be mentioned that the Government Decree 229/2008. (IX. 12.) Korm138 on the requirements
related to the quality of electronic communications services in relation to the protection of consumers points
out under Article 8 § 6 that the electronic communications network shall be considered protected if the
service provider ensures, by physical and administrative measures, that unauthorised access to the electronic
communications network, the electronic communications service or information provided by subscribers
should be viable exclusively under especially difficult conditions – hence especially in a manner entailing visible
damage or through other conspicuous means, or by using illicit means or methods
139
The exchange rate for 1 Euro was about 265 Forints at the time of the completing of the national report
317
RAND Europe
National Profiles
(5) Additionally, the Authority may impose a penalty of between
50,000 and 3 million forints, and must impose the penalty for
repeat offense committed by the executive officer of the offender
organization.
Communications secrecy laws – contents of electronic communication
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről
– Btk.).
Btk
Reference
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.
TV&timeshift=0
or some of the relevant articles in English:
http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/nati
onal/1978_IV
Main provisions in Article 178. Violation of the Privacy of Correspondence: any
relation to ID theft
person who opens or obtains a sealed parcel containing a
communication which belongs to another person for the purpose
of gaining knowledge of the contents thereof, or conveys such to
an unauthorized person for this purpose, as well as any person
who
taps
a
correspondence
forwarded
through
telecommunications equipment is guilty of a misdemeanour.
Article 178/A. Illicit Possession of Private Information: any
person who, for the illicit possession of private information: […]
d) captures correspondence forwarded by means of
communications equipment or computer network to another
person and records the contents of such by technical means is
guilty of a felony.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of article 178 can be criminally
sanctioned with fines, if such act does not result in a more
serious criminal act. The punishment shall be imprisonment for
up to one year, community service work, or a fine, if the crime is
committed in a professional or official capacity.
The punishment shall be imprisonment for up to two years, if
the crime results in a significant injury of interest.
Violation of article 178/A is a felony punishable by
imprisonment for up to five years. The punishment shall be
imprisonment between two to eight years, if the act of crime is
committed:
a) by feigning official action;
318
RAND Europe
National Profiles
b) in a pattern of business operation;
c) as part of criminal conspiracy;
d) causing significant injury of interests.
Fraud
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről –
Btk).
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.T
V&timeshift=0
Main provisions in Fraud in general is punished by Article 318 of the Criminal Code.
relation to ID theft
This article sanctions any act of using deception (including use of
false names or titles, or any other type of deceptive manipulation
or abuse of good faith or credulity) with the view of obtaining
unlawful financial gain or advantage and if it causes damage with
the deception. This would apply to any ID theft incidents
involving the use of a falsified identity to appropriate property.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of article 318 can be criminally sanctioned
according the followings:
- paragraph (2): the punishment because of misdemeanour if the
fraud causes petty damage shall be imprisonment for up to two
years, community service or a fine, or if the fraud causing the
damage not exceeding the value limit of minor offence is
committed as part of criminal conspiracy, in case of emergency or
in a pattern of business operation;
Furthermore the punishment will be for up to three years, between
one to five years, between two to eight years or between five to ten
years if, respectively, the fraud causes greater damage, significant
damage, particularly great damage or particularly significant
damage.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről –
Btk).
Btk
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV
&timeshift=0
Main
provisions
in Forgery with respect to identity is punished under Title III of the
319
RAND Europe
relation to ID theft
National Profiles
Criminal Code, by Article 274, 275, 276, 277.
Document forgery:
Article 274
- paragraph (1): a person who:
a) prepares a false document or falsifies the content of a
document;
b) uses a false or falsified document or document of any other
person;
c) collaborates in the preparation of a document containing
untrue data concerning the existence, changing or ceasing of
a right or an obligation, is guilty.
- paragraph (2) and (3) sanction a person who commits a preparation
of document forgery and the forgery of a document on the manner
defined in sections a) or b) of paragraph (1).
Article 275, paragraph (1): a public officer abusing his competence:
a) makes a false document or falsifies the content of a document, b)
sets an essential fact in a document falsely is guilty of felony.
Forgery of private agreements:
Article 276,
paragraph (1): a person who uses private agreement
with a false, forged or untrue content for proving the existence,
changing or ceasing of a right or an obligation, is guilty.
Abuse with a document
Article 277 paragraph (1) and (2): a person who unlawfully obtains a
document without the consent of the owner, or crushes, damages, or
conceals the document which is not or not exclusively his own (also
onto a private agreement to obtain unlawful preference or to cause
unlawful disadvantage) is guilty of misdemeanour.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 274 can be criminally sanctioned in §
(1) with imprisonment for a term not extending three years.
In § (2) by imprisonment for up to one year, community
service work, or a fine. In § (3) with a fine.
•
Violations of article 275 can be criminally sanctioned with
imprisonment for up to five years.
•
Violations of article 276 can be criminally sanctioned with
imprisonment for a term not extending a year, community
service work, or a fine.
320
RAND Europe
National Profiles
•
Violations of article 277 can be criminally sanctioned in §
(1) with imprisonment for up to two years, community
service work, or a fine. In § (2) with imprisonment for a
term not extending a year, community service work, or a
fine.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről –
Btk).
Btk
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV
&timeshift=0
or some of the relevant articles in English (not updated):
http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national
/1978_IV
Main provisions in Illegal access to information systems is punished by Article 300/C of
relation to ID theft
the Criminal Code, including particularly paragraph (1): any person
who gains unauthorized entry to an information system by
compromising or defrauding the integrity of the computer protection
system or device, or overrides or infringes his user privileges, is guilty
of misdemeanour.
This would apply to any ID theft incidents involving the use of false
credentials to gain unauthorized access to an information system, or
to steal credentials from such a system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of § 1 can be criminally sanctioned with
imprisonment for up to one year, community service work, or a fine.
Cybercrime – illegal data interference
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk).
Btk
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV&ti
meshift=0
or some of the relevant articles in English:
http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1
978_IV
Main provisions in Illegal data interference is punished by Article 300/C of the Criminal
relation to ID theft
Code, including particularly paragraph (2): any person who:
321
RAND Europe
National Profiles
a) without permission alters, damages or deletes data stored, processed
or transmitted in an information system or denies access to the
legitimate users;
b) without permission adds, transmits, alters, damages, deletes any
data, or uses any other means to disrupt use of the information system
is guilty of misdemeanour.
This would apply to any ID theft incidents involving the falsifying of
identity information stored, transmitted, etc. in an information system.
Prescribed sanction
Apart from damages that the victim may receive in a civil proceedings,
violations of § 2 can be criminally sanctioned with imprisonment for
up to two years, community service work or a fine.
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk).
Btk
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV&ti
meshift=0
Main provisions in Computer-related forgery is not a specific crime in the Hungarian
relation to ID theft
Criminal Code. Article 300/E on the evasion of the technical measure
providing the protection of information systems can be treated as such,
however it relates to any other computer crimes as well. Article 300/E
includes :
Paragraph 1: a person who aims to commit a particular crime defined
in article 300/C, if he/she prepares, obtains or releases, merchandises or
gets available on an other mode a computer program, password, entry
code which is necessary to or facilitates the crime or prepares data
allowing the login into the system is guilty of misdemeanour.
Paragraph 2: a person is punishable according to § (1) when he/she is
aiming to commit a particular crime defined in article 300/C and puts
his economic, technical, organizational knowledge at somebody else
disposal for the preparation of a computer program, password, entry
code or data allowing the login into the system which is necessary to or
facilitates the crime.
Prescribed sanction
Apart from damages that the victim may receive in a civil proceedings,
violations of §1 and §2 shall be criminally sanctioned with
imprisonment for up to two years, community service work, or a fine.
In some specific situations, a person who reveals her/his activity for the
authority, before the authority would have learned of the preparation
of a computer program, password, entry code which is necessary to or
facilitates the crime or data allowing the login in whole of or in any
322
RAND Europe
National Profiles
part of the system conveys the prepared thing to the authority, and
enables the identification of other person taking part in the
preparation, cannot be punished.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk).
Btk
Reference
See
http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV&ti
meshift=0
or some of the relevant articles in English:
http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1
978_IV
Main provisions in Computer-related fraud is punished by Article 300/C of the Criminal
relation to ID theft
Code, including particularly:
Paragraph (3): any person who, for unlawful financial gain or
advantage, adds, alters, damages or deletes data stored, processed or
transmitted in an information system or denies access to the legitimate
users, or adds, transmits, alters, damages, deletes data or uses any other
means to disrupt the use of the information system, and causes damage
with this, is guilty of felony.
This would apply to, for example, any ID theft incidents involving the
modification of information systems in order to obtain
usernames/passwords (eg, phishing).
Prescribed
Prescribed sanction
Apart from damages that the victim may receive in a civil proceedings,
violations of paragraph (3) can be criminally sanctioned with
imprisonment between one to five years if it causes significant damage;
imprisonment between two to eight years if it causes particularly great
damage; imprisonment between five to ten years if it causes particularly
significant damage.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site such as
Facebook
Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of data protection laws, since personal data of the victim are
unlawfully processed imposing significant injury (or after August 9, 2009
for unlawful financial gain or advantage) to make the false identity
323
RAND Europe
National Profiles
believable (eg, publication of the victim's name, address, photo, etc.) ;
- forgery and/or computer-related forgery, if the forgery changed the legal
impact of the information;
- fraud and/or computer-related fraud, if the false identity was used to
unlawfully appropriate property;
- harassment, if it caused by the publication of the victim's name, address,
photo, etc.;
- defamation if the publication of the victim's name, address, photo, etc.
is connected with an attack to the honour.
Case law available?
A case involved the abusive use of photos and private data (address and
telephone) of a woman on social websites dedicated to the provision of
sexual services.
The victim brought a civil action against the websites to the Pest Central
District Court. The court divided the process and based the decision on
the Act CVIII of 2001 on certain issues of electronic commerce services
and information society services. According to the judgement the owner
of the website, being an intermediate provider, is not responsible for the
content. The Pest Central District Court thus refused the action and the
plaintiff should pay legal costs. The Metropolitan Court of Appeal
approved the decision in April 2009140.
It should be mentioned that in a similar case of falsified online ads
(concerning the offer of a car and of sexual services, where the ads
contained the nickname and phone number of the victim), the police
identified the IP address from where the ads were sent and the City Court
of Hatvan had found two defendants guilty in violation of the data
protection and in the offence of harassment (the articles 177/A and 180
of the Criminal Code) in 2007. Each defendants was sentenced with a
fine of 100.000 forints (about 400 EUR). The Supreme Court approved
the decision in December 2008141.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
140
A copy of the decision can be found here:
http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=0100-H-PJ-2008-511&K=0; and
the appeal http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=2201-H-PJ-2009395&K=0
141
A copy of the decision can be found here:
http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=1004-H-BJ-2007-3&K=0 and the
appeal:
http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=0001-H-BJ-2008-138&K=0
324
RAND Europe
Applicable law(s)
National Profiles
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the data protection act, since the credentials are
likely to be considered personal data which are being unlawfully
processed imposing significant injury (or after August 9 2009 for
unlawful financial gain or advantage);
- computer-related crime, if use of the credentials can be
qualified as unlawful access to data related to electronic
communication (eg, to make bank transfers electronically);
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were
used to access a system without authorisation.
Case law available?
Yes, however the unknown perpetrators have sent faxes and not
emails in the available case law. The Municipal Court in 2007
heard the case of a bank employee who without authorization
collected the sleeping account of 7 clients containing large
amounts of money from the bank information system. He made
snapshots with a digital camera from the displays containing the
details of the bank accounts (personal data of the holder, the
amount and currency, and secret password, code required for the
transfer).
The second defendant had opened two bank accounts using lost
and falsified ID documents with his own photos but one with
the original name and with a falsified name in the other
document.
Unknown persons started the bank transfers by fax - containing
the secret password and code - sent from a foreign country
phone number (from a Serbian city) to the Hungarian accounts.
The personality of the accomplices was left unknown.
The Municipal Court found guilty the first defendant for the
crime of fraud (Criminal Code § 318) together with the crime of
violation of banking secrecy (Criminal Code § 300 / A) and the
offense of forgery of official documents (Criminal Code § 276)
and punished him with 5 years imprisonment.
The second defendant was found guilty for the crime of
continuously committed fraud (Criminal Code § 318) together
with the continuously committed crime of forgery of official
documents (Criminal Code § 274), therefore the court punished
him with 3 years and 6 months imprisonment.
In 2008, the Metropolitan Court of Appeal modified the length
325
RAND Europe
National Profiles
of imprisonment of the first defendant to 4 years, and the length
of imprisonment of the second defendant to 2 years and 10
months142.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s
else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal data interference, if the act of phishing involved entering,
changing or deleting information in an information system
without authorisation (eg, in order to falsify a website).
Case law available?
No known case law.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
The act of using falsified identity document would likely be:
- a violation of the data protection act, since the personal data of
the document would be unlawfully processed imposing
significant injury (or after August 9 2009 for unlawful financial
gain or advantage);
- forgery or document forgery.
Case law available?
142
No known case law.
A copy of the decision can be found here:
http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=0100-H-BJ-2008-88&K=0 and the
appeal
http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=2201-H-BJ-2008-159&K=0
326
RAND Europe
National Profiles
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
law(s)
The act of trafficking in unlawfully obtained information would
likely be a violation of the data protection act, since the personal
information would be unlawfully processed imposing significant
injury (or after August 9 2009 for unlawful financial gain or
advantage).
Case law available?
No known case law.
Apart from these examples, there are no publicly available law cases.
It has to be highlighted that143 the abuse of personal data has been included in the
Criminal Code since 2003. A total of 18 cases of imprisonment were imposed, and the
perpetrators were suspended in 51 cases in the last 5 years period. This figure will increase
significantly through the tightening of the Criminal Code after 2009.
2302 denunciations were made because of abusing personal data in 2007 according to the
statistics of the General Prosecutor's Office from this the investigation was ceased in 2207
cases in the prosecutorial phase. Much less, 262 denunciations arrived in 2008, but among
these 158 investigations ceased, and in 68 cases the denunciation was rejected. The
majority of the rejections happened because of the deficiency of the significant injury of
interest144.
In most cases, the victim could not make a denunciation before August 2009, but many
citizens filed complaints at the Commissioner of Data Protection.
ID theft reporting mechanisms
If action is required the incident shall be reported to the police. This is a general rule
covering ID theft or other online-related crime as well. There are some other means of
143
Fraudsters submitted several hundred tax declarations containing refund applications in the amount of
roughly 27 million forints with stolen identities of unsuspecting citizens living in different regions of the
country. The personal data, tax number were correct in the declarations, however in 243 cases the handwritten
signatures differed from the signatures of the concerned tax subjects and there were the same mailing address
and the bank account in each case. The Tax Authority made denunciation against unknown persons according
to the news dated in June 2008. No law case was found yet
In November 2009, bank card information of 145 card holders was stolen by skimming at an ATM in
Budapest. The criminals - suspected skilled in IT - installed card reader in the ATM and obtained card
information together with the secret PIN code. The criminals forged bank cards with the data and 319 times
executed, or attempted to execute various financial transactions. The criminals managed successfully altogether
86 cash withdrawal and caused 6 million forint damages - according to information provided by the Budapest
Police Headquarters in February 2010. The ATM prepared video records about the users of the fake cards.
The police published the photos and was looking for the perpetrators at the time of the announcement
144
See the article of Dr. Zoltán Kulcsár http://www.adatvedelmiszakerto.hu/2009/08/a-jogellenes-adatkezeleskovetkezmenyei/
327
RAND Europe
National Profiles
electronic communication. The police are preparing form sheets in the framework of
eGovernment. The system should serve explicitly the administrative cases. The forms
should be completed with the general fill out software and would be uploaded on the
Client Gate of the Central Governmental Portal145. Central Governmental Portal forwards
the files to the e-Cop system of the National Police Headquarters through the Office Gate.
The oldest reporting mechanism is the so called Telefontanú Programme; however it was
created primarily not for victims.
Telefontanú (Phone Evidence) Programme
The Telefontanú (Phone Evidence) Programme came into operation at the Crime
Prevention and Equality Unit of the National Police Headquarters on January 15 ,
2001.146 The idea of the programme arose from the example of the British Crimestoppers
in order to help to find criminals and to increase the effectiveness of crime prevention.
(The programme – based on similar principles – is successfully applied currently in four
European countries: Spain, Great Britain, the Netherlands and Hungary)
The program provides for an opportunity for those citizens who have information about
already completed or planned crimes, criminals, location of wanted persons, but do not
want to go to the police, to reveal their identities to the authority for an appreciable reason.
The toll-free number 06-80-555-111 is operated on weekdays. The operators receive the
anonymous information and pass it to the law enforcement authorities (eg, among others
to the National Criminal Investigation Agency of the National Police Headquarters).
About 100.000 notifications were received in recent years: the 35-40 percent of submitted
applications to the competent authorities were successfully-closed investigation, arresting
of wanted persons and other police measures.
MMS format for data communication is possible since June 2005. Photos or records of a
crime can be sent to the service office, which forward the information to the measure
authorized body.
Other sites
The crime prevention website of the Hungarian Police can be found at
http://www.megelozes.eu/cms/index.php?option=com_frontpage&Itemid=1, with advises
about the safe use of Internet. The complaints against misuse may be sent to the web
portal electronically, by postal mail or personally. The police shall answer in three days or
inform about the responsible authority.
The website http://www.internethotline.hu/ contains information for the hotline
submission. It offers the opportunity to report the Hungarian illegal or harmful web or
145
https://ugyfelkapu.magyarorszag.hu/szolgaltatasok/dokumentumfeltoltes
146
http://www.police.hu/megelozes/telefontanu/telefontanuprog.html
328
RAND Europe
National Profiles
other online content. Primarily an online notification form shall be filled out by clicking
on the site. Alternatively an email notification ([email protected]) could be sent as
well. This is the Hungarian member site of Inhope operated by MATISZ in the framework
of the Safer Internet Action Plan.
The National Cybersecurity Center147 publishes daily and weekly reports about
vulnerabilities, risks and incidents and quarterly a summary and analysis, with other
professional papers. It operates the National General Duty Service of Informatics and
Communications, an on site 24/7 duty service to handle incidents.
The incident reports should be sent to [email protected] in the form of electronic
mail. The National Cybersecurity Center co-operates with the High-Tech Crime
Prevention Department of the Hungarian National Criminal Investigation Agency (HighTech Crime Prevention Department is in charge of the investigation of computer-related
crime).
National Cybersecurity Center/PTA Cert-Hungary undertakes training on the secure
usage of Internet for the employees of its joined organizations. The website
http://www.biztonsagosinternet.hu/ was created for awareness raising and education. Based
on the material of the website there are education programs for the primary and secondary
schools. PTA Cert-Hungary participated in the summer holiday education programs of the
pupils.
Other websites to be mentioned are:
VirusBuster Kft. offers anti-virus software and other IT security solutions for the
Hungarian
and
international
market
since
1997.
http://www.virusbuster.hu/hu/spam/spam_gyik/spam_jon
According to a PPP agreement the publications about spam, malware or Internet fraud of
the General Inspectorate for Consumer Protection can be found on a private website
www.virushirado.hu/oldal.php?hid=52 . On this website consumers can also find
information where to file a complaint about spam.
Personal assessment of the framework for combating ID theft
The Hungarian Internet penetration rate rose above 52 percent, however it is below the
European average, despite significant improvements. The low penetration and the
language difficulties for the foreign perpetrators reduce the chances of online crime to
some extent.
Several news published in the media contributed to the awareness-raising of credit card
fraud, spam, phishing. In the latter half of the year some reviews about ID theft are
available aiming to provide readers with the most reliable and complete information on
how to reduce the risk of becoming a victim. However, really relevant case law concerning
147
http://www.cert-hungary.hu/en
329
RAND Europe
National Profiles
ID-related crime is hard to find. Since 2006 there are more and more phishing attacks
against customers of Hungarian banks as well. The text of emails or the forged websites
have fewer translation errors, so they deceive many people. The typically foreign
perpetrators have caused significant damage in some cases, but the banks did not disclose
the amount and did not report that to the police.
As the study of a public prosecutor148 indicates, the effective investigation of phishing
attacks is difficult and the evidence of cross-border crime is practically impossible. The
same goes for credit card fraudsters, as respectively the data acquired are used in other
countries.
The legal framework is sufficiently comprehensive in the field of personal data protection
and computer crime. The act on electronic communications regulates the functions of the
state and the service providers essentially governed by market competition. The act
provides for the protection of systems security, however, it does not prohibit any form of
unauthorized access by any unauthorized natural or judicial individual which is sanctioned
by the Criminal Code at the same time.
The preparation of the bill on IT Security in 2009 should be considered positively hoping
that it will be soon enacted by the Parliament.
148
The study of Dr. Kökényesi Bárdos Attila can be downloaded from the site of the Pro Iustitia Society:
http://www.stop.hu/articles/comment_forum.php?forum_topics_id=183738&database_id=592874&forum_fo
rbidden=0&lstresults=1&median_code=11888217376498
330
RAND Europe
National Profiles
India
Applicable laws
Laws focusing explicitly on ID theft
There is no general ID theft law in India. Furthermore, there is no general data protection
law in India. The Constitution of India, ratified in 1950, does not explicitly recognize the
right to privacy. However, the Supreme Court first recognized in 1964 149 that there is a
right of privacy implicit in Article 21 of the Constitution, which states, ‘No person shall be
deprived of his life or personal liberty except according to procedure established by law’.150
Here there is no mention of the word ‘privacy’ instead the term ‘personal liberty’ has been
used.
The Information Technology Act 2000 (a.k.a IT ACT 2000) 151 was notified on Oct 17,
2000 by the Indian Parliament. An amendment to the 2000 Act was proposed in
2005/2006, it was amended through the Information Technology Act 2008 and was
notified by the Indian Parliament on Oct 27, 2009. 152 The amended Act addresses a lot of
cyber security, and privacy issues.
Section 66C of the amendments mentions about Identity theft:
Whoever, fraudulently or dishonestly make use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to three years and shall
also be liable to fine which may extend to rupees one lakh.
Other laws that may apply to ID theft incidents
The Personal Data Protection Bill, 2006 153
• The aim of the bill is to provide for protection of personal data and information of an
individual collected for a particular purpose by one organization, and to prevent its
usage by other organization for commercial or other purposes and entitle the individual
to claim compensation or damages due to disclosure of personal data or information of
any individual without his consent and for matters connected therewith or incidental
thereto.
• The bill addresses collection, processing and distribution of personal data of both
government and private sector.
149
Kharak Singh v State of UP (AIR 1963 SC 1295)
150
Privacy International. Country reports - Republic of India.
http://www.privacyinternational.org/survey/phr2000/countrieshp.html#Heading3. Visited 02 Oct 04.
151
https://nicca.nic.in/pdf/itact2000.pdf
152
http://www.cyberlawtimes.com/itact2008.pdf
153
http://www.lawyersclubindia.com/forum/files/8_8_the_personal_data_protection_bill__2006.pdf
331
RAND Europe
•
•
National Profiles
Penalty
o Whoever contravenes or attempts contravene or abets the contravention of the
provisions of this Act shall be punishable with imprisonment for a term, which
may extend to three years or with fine, which may extend upto ten lakh rupees
penalty.
Status of the Bill
o This Bill was introduced in the Rajya Sabha (Government of India) on
the 8th December 2006.
Privacy protection and data protection legislation
Please identify any applicable laws that protect privacy or personal data in general. Add one
box per relevant law; this may mean that the national profiles contain additional boxes
beyond the ones provided below.
Data protection laws154
Relevant law
IT ACT 2000 and IT ACT 2008
Reference
https://nicca.nic.in/pdf/itact2000.pdf;
http://www.cyberlawtimes.com/itact2008.pdf
Main provisions in Section 43: ID theft incidents will typically constitute unlawful
relation to ID theft
access to information (Section 43, clause a), introducing virus
into victim’s machine (Section 43, clause c), impersonation
(Section 43, clause h).
Section 66C as mentioned above.
Prescribed sanction
sanction
Convicted criminal ‘shall be liable to pay damages by way of
compensation not exceeding one crore rupees to the person so
affected.’
Communications secrecy laws155
Relevant law
Name and date
Reference
Publication reference (preferably an on-line link)
Main provisions in Identify the relevant articles/paragraphs/sections
relation to ID theft
Prescribed sanction
Punishment provided by the law (imprisonment and/or fines)
154
Specifically transpositions of the Data Protection Directive 95/46/EC ; see http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT
155
Specifically transpositions of the ePrivacy Directive 2002/58/EC ; see http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML
332
RAND Europe
National Profiles
Criminal law
Fraud
Relevant law
N.A.
Reference
N.A.
Main provisions in N.A.
relation
relat ion to ID theft
Prescribed sanction
N.A.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
N.A.
Reference
N.A.
Main provisions in N.A.
relation to ID theft
Prescribed sanction
N.A.
Cybercrime - illegal access
access to information systems (hacking)
Relevant law
IT ACT 2000 and IT ACT 2008
Reference
https://nicca.nic.in/pdf/itact2000.pdf;
http://www.cyberlawtimes.com/itact2008.pdf
Main provisions in Section 70
relation to ID theft
Any person who secures access or attempts to secure access to a
protected system in contravention of the provisions of this
section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall
also be liable to fine.
Prescribed sanction
10 years
Cybercrime – illegal data interference156
156
Specifically any modifications to national law under the influence of the Council of Europe Convention on
Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm) or the EU Council
Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems (see
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32005F0222:EN:NOT)
333
RAND Europe
National Profiles
Relevant law
N.A.
Reference
N.A.
Main provisions in N.A.
relation to ID theft
Prescribed sanction
N.A.
Cybercrime – computercomputer-related forgery157
Relevant law
N.A.
Reference
N.A.
Main provisions in N.A.
relation to ID theft
Prescribed sanction
N.A.
Cybercrime – computercomputer-related fraud158
Relevant law
N.A.
Reference
N.A.
Main provisions in N.A.
relation to ID theft
Prescribed sanction
N.A.
Computer source code crime159
Relevant law
IT ACT 2000, IT ACT 2008
Reference
https://nicca.nic.in/pdf/itact2000.pdf;
http://www.cyberlawtimes.com/itact2008.pdf
Main provisions in Section 65
relation to ID theft
Whoever knowingly or intentionally conceals, destroys or alters
or intentionally or knowingly causes another to conceal, destroy
or alter any computer source code used for a computer, computer
157
Specifically any modifications to national law under the influence of the Council of Europe Convention on
Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm)
158
Specifically any modifications to national law under the influence of the Council of Europe Convention on
Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm)
159
Specifically any modifications to national law under the influence of the Council of Europe Convention on
Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm)
334
RAND Europe
National Profiles
programme, computer system or computer network, when the
computer source code is required to be kept or maintained by law
for the time being in force, shall be punishable with
imprisonment up to three years, or with fine which may extend
up to two lakh rupees, or with both.
Explanation - For the purposes of this section, ‘Computer Source
Code’ means the listing of programmes, Computer Commands,
Design and layout and programme analysis of computer resource
in any form.
Prescribed sanction
Up to three years, or with fine which may extend up to two lakh
rupees, or with both.
Sending offensive messages using computers / communication devices
Relevant law
IT ACT 2000, IT ACT 2008
Reference
https://nicca.nic.in/pdf/itact2000.pdf;
http://www.cyberlawtimes.com/itact2008.pdf
Main provisions in Section 66 A
relation to ID theft
This covers spam, phishing, etc.
Prescribed sanction
Shall be punishable with imprisonment for a term which may
extend to three years and with fine.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
IT ACT 2000, IT ACT 2008
Case law available?
NO
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
IT ACT 2000, IT ACT 2008
Case law available?
The Case of The State of Tamil Nadu Vs Suhas Katti
335
RAND Europe
National Profiles
From the judgement ‘The accused is found guilty of offences
under section 469, 509 IPC and 67 of IT Act 2000 and the
accused is convicted and is sentenced for the offence to undergo
RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for
the offence u/s 509 IPC sentenced to undergo 1 year Simple
imprisonment and to pay fine of Rs.500/- and for the offence u/s
67 of IT Act 2000 to undergo RI for 2 years and to pay fine of
Rs.4000/- All sentences to run concurrently.’
Phishing
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
N.A.
Case law available?
N.A.
Using falsified identity documents
documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
N.A.
Case law available?
N.A.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketeers)
Applicable law(s)
N.A.
Case law available?
N.A.
Trafficking in unlawfully
unlawfully obtained pictures and videos (eg, selling pornography)
pornography)
Applicable law(s)
IT ACT 2000, IT ACT 2008
Section 67, Punishment for publishing or transmitting obscene
material in electronic form
Dr. L Prakash was convicted for manipulating his patients in
Case law available?
various ways, forcing them to commit sex acts on camera and
posting the pictures and videos on the Internet.
Fast track court judge R Radha, who convicted all the four in Feb
2008 , also imposed a fine of Rs 1.27 lakh on Prakash, the main
accused in the case, and Rs 2,500 each on his three associates Saravanan, Vijayan and Asir Gunasingh.
336
RAND Europe
National Profiles
Other laws/Acts that one can use in India for Identity theft:
Other laws/Acts
Relevant law
Special Relief Act, 1963
Reference
http://districtcourtallahabad.up.nic.in/articles/SRelAct.pdf
Main provisions in Section 39
relation to ID theft
Temporary and permanent injunctions against unauthorized
disclosure of confidential information; award of damages
Prescribed sanction
Enforced by the courts in India
Other laws/Acts
Relevant law
Indian Penal Code, 1960
Reference
http://districtcourtallahabad.up.nic.in/articles/IPC.pdf
Main provisions in Criminal complaint for breach of trust can be filed in court by
relation to ID theft
police or affected party
Prescribed sanction
Enforced by the courts in India
Criminal breach of trust punishable by more than 3 years
imprisonment and fine.
ID theft reporting mechanisms
Indian citizens have many venues to report ID theft:
•
•
•
160
Indian Computer Emergency Response Team (CERT-IN)160
Cyber Crime Investigation Cells across India (eg,
http://www.cybercellmumbai.com/ in Mumbai)
Cyber Crime police stations; an example in Bangalore
http://www.cyberpolicebangalore.nic.in/
www.cert-in.org.in/
337
RAND Europe
National Profiles
The caveat is that the reporting mechanisms are not promoted as they should be and
therefore, the number of incidents that are reported are far less than the actual ones.
Personal assessment of the framework for combating ID theft
I think the laws are sufficient enough to cover all incident of ID theft in some form or the
other, but the problem I see is the gap between the technologist and lawyers in India.
There is very little interaction between these two communities.
There is also a dearth of knowledge on the techno-legal aspects of the ID theft issue. One
main thing that India needs to look at is capacity building, to train technologist about law
and lawyers/investigating officers about technology.
Given the plethora of issues and huge population in India, it may not be appropriate to
expect quick responses with respect to solving the ID theft problem. Some of these cases
take long time and I am certain that there are many cases that are being discussed in the
court as this article is written.
338
RAND Europe
National Profiles
Ireland
Applicable laws
Laws focusing explicitly on ID theft
There is no Irish legislation focusing specifically on ID theft. ID theft incidents would be
dealt with through provisions relating to fraud or data protection.
No such ID theft laws are currently under consideration by the lawmaker according to the
available information.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Data Protection Acts 1988:
Data Protection (Amendment) Act 2003:
Reference
Data Protection Acts 1988:
http://www.bailii.org/ie/legis/num_act/1988/0025.html and
Data
Protection
(Amendment)
Act
http://www.bailii.org/ie/legis/num_act/2003/0006.html
2003:
Main provisions in ID theft incidents will generally violate the following provisions
relation to ID theft
of the Acts:
Prescribed sanction
-
Fair obtaining and processing of personal data: s.2(1)(a);
-
Purpose specification principle: s.2(1)(c);
-
Security: s.2(1)(d) and s. 2C;
-
Legitimate processing requirements: ss.2A and 2B;
-
Registration obligations: s.16.
The Act facilitates the bringing of a civil action for breach of its
provisions: s.7. Various offences are also provided for, for
example, non-compliance with a range of notices issued by the
Data Protection Commissioner: ss.10(12), 11(13) and 12(5)
and obtaining access to personal data and disclosing it: s.22.
The penalties are:
o
On summary conviction a maximum fine of €1,270;
o
On conviction on indictment a maximum fine of
339
RAND Europe
National Profiles
Communications secrecy laws - contents of electronic communications
Relevant law
Postal & Telecommunications Services Act 1983: s.98 (as amended).
Reference
Postal
&
Telecommunications
Services
Act
1983:
http://www.bailii.org/ie/legis/num_act/1983/0024.html#zza24y1983
Main
Section 98 of this Act makes it an offence to intercept
provisions in telecommunications messages or to discloses the existence, substance or
relation to ID purport of any such message which has been intercepted or to use for
theft
any purpose any information obtained from any such message. While
the offence originally only applied to messages being transmitted by the
state monopoly telecommunications provider, its application was
extended to cover authorised undertakings ie, those authorised by the
Commission for Communications Regulation to provide electronic
communications networks and services. The offence only applies to
messages that are in the course of transmission. There is no definition in
the Act of ‘telecommunications message’ but it is likely that it applies to
electronic communications. This provision applies to the content of
such communications but not to information about the communication.
It appears to apply to ID theft incidents involving the recording of
electronic communications, provided the communications is being
transmitted by an authorised undertaking.
Prescribed
sanction
On summary conviction, a maximum fine of €1016 or a maximum
prison term of 12 months or both.
On conviction on indictment, a maximum fine of €63,500 or a
maximum prison term of 5 years or both
€63,500.
Fraud
Relevant law
Criminal Justice (Theft and Fraud Offences) Act 2001.
Reference
Criminal Justice (Theft and Fraud Offences) Act 2001:
http://www.bailii.org/ie/legis/num_act/2001/0050.html
Main provisions in Section 6 of the Criminal Justice (Theft and Fraud Offences) Act
relation to ID theft
2001 provides that a person who dishonestly, with the intention
of making a gain for himself or herself or another, or of causing
loss to another, by any deception induces another to do or refrain
from doing an act is guilty of an offence.
Section 7 of the Act provides that a person who dishonestly, with
the intention of making a gain for himself or herself or another,
or of causing loss to another, by any deception obtains services
from another is guilty of an offence.
340
RAND Europe
Prescribed sanction
National Profiles
These offences are indictable and the penalties are an unlimited
fine or a maximum of 5 years imprisonment, or both
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Justice (Theft and Fraud Offences) Act 2001.
Reference
Criminal Justice (Theft and Fraud Offences) Act 2001:
http://www.bailii.org/ie/legis/num_act/2001/0050.html
Main provisions in Section 24 of the Criminal Justice (Theft and Fraud Offences)
relation to ID theft
Act provides that a person is guilty of forgery if he or she makes a
false instrument with the intention that it shall be used to induce
another person to accept it as genuine and, by reason of so
accepting it, to do some act, or to make some omission, to the
prejudice of that person or some other person.
Section 25 of the Act provides that a person who uses an
instrument which is, and which he or she knows or believes to
be, a false instrument, with the intention of inducing another
person to accept it as genuine and, by reason of so accepting it, to
do some act, or to make some omission, or to provide some
service, to the prejudice of that person or any other person is
guilty of an offence.
Prescribed sanction
These offences are indictable and the penalties are an unlimited
fine or a maximum of 10 years imprisonment, or both.
Theft
Relevant law
Criminal Justice (Theft and Fraud Offences) Act 2001.
Reference
Criminal Justice (Theft and Fraud Offences) Act 2001:
http://www.bailii.org/ie/legis/num_act/2001/0050.html
Main provisions in Section 4 of the Criminal Justice (Theft and Fraud Offences) Act
relation to ID theft
2001 provides that a person is guilty of theft if he or she
dishonestly appropriates property without the consent of its
owner and with the intention of depriving its owner of it.
Property is defined in the Act (s.2) as ‘money and all other
property, real or personal, including things in action and other
intangible property’.
Prescribed sanction
A person guilty of theft is liable on conviction on indictment to a
fine or imprisonment for a term not exceeding 10 years or both.
Cybercrime - illegal access to information systems (hacking)
341
RAND Europe
National Profiles
Relevant law
Criminal Damage Act 1991.
Reference
Criminal Damage Act 1991:
http://www.bailii.org/ie/legis/num_act/1991/0031.html
Main provisions in Section 5 (unauthorised accessing of data) of the Criminal
relation to ID theft
Damage Act 1991 provides that ‘a person, who without lawful
theft
excuse, operates a computer … shall, whether or not he accesses
any data, be guilty of an offence’. This would cover identity theft
incidents involving the use of false passwords to gain access to
information systems.
Prescribed sanction
This is a summary offence punishable by a maximum fine of
€635 or a maximum prison sentence of 3 months or both.
Cybercrime – illegal data interference
Relevant law
Criminal Damage Act 1991.
Reference
Criminal Damage Act 1991:
http://www.bailii.org/ie/legis/num_act/1991/0031.html
Main provisions in Section 2(1) of the Criminal Damage Act makes it an offence,
relation to ID theft
without lawful excuse, to damage any property belonging to
another intending to damage any such property or being reckless
as to whether any such property would be damaged. Property is
defined to include data which, in turn, is defined as ‘information
in a form in which it can be accessed by means of a computer
and includes a program’. Damage is broadly defined and includes
alteration or erasure of data.
Prescribed sanction
On summary conviction, a maximum fine of €1270 or a
maximum prison term of 12 months or both.
On conviction on indictment, a maximum fine of €12,700 or a
maximum prison term of 10 years or both
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Justice (Theft and Fraud Offences) Act 2001.
Reference
Criminal Justice (Theft and Fraud Offences) Act 2001:
http://www.bailii.org/ie/legis/num_act/2001/0050.html
Main provisions in As noted above, Sections 24 and 25 of the Criminal Justice
relation to ID theft
(Theft and Fraud Offences) Act deal with forgery and the use of
false instruments. Instrument is defined as ‘any document,
whether of a formal of informal character’. Document is defined
as including ‘(a) a map, plan, graph, drawing, photograph
or record, or (b) a reproduction in permanent legible
342
RAND Europe
National Profiles
form, by a computer or other means (including
enlarging), of information in non-legible form’. The
definition of instrument goes on to provide a non-exhaustive list
of materials which come within the scope of this definition such
as ‘any disk, tape, sound track or other device on or in which
information is recorded or stored by mechanical, electronic or
other means’. Given the breadth of the definition of instrument,
it is clear that computer-related forgery is covered by these
offences.
Prescribed sanction
These offences are indictable and the penalties are an unlimited
fine or a maximum of 10 years imprisonment, or both.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Justice (Theft and Fraud Offences) Act 2001.
Reference
Criminal Justice (Theft and Fraud Offences) Act 2001:
http://www.bailii.org/ie/legis/num_act/2001/0050.html
Main provisions in Section 9 of the Criminal Justice (Theft and Fraud Offences) Act
relation to ID theft
provides that a person who dishonestly operates or causes a
computer to be operated with the intention of making a gain for
himself or herself or another, or of causing a loss to another, is
guilty of an offence. Dishonesty is defined as meaning ‘without a
claim of right made in good faith’: s. 2. This is a very broad
provision which could be used against those who engage in
identity theft, provided the necessary intent is proven.
Prescribed sanction
The offence is indictable and the penalties are an unlimited fine
or a maximum of 10 years imprisonment, or both.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
name)
Applicable
law(s)
This would be likely to involve:
- breach of data protection law, on the basis that it would probably
involve unlawful processing of personal data of the victim;
- forgery and/or use of a false instrument – on the basis that the false
profile could constitute a false instrument. The offence would only
arise where it could be shown that the false instrument was made or
used with the intention of inducing another person to accept it as
genuine and, by reason of so accepting it, to do some act, or to
make some omission, or to provide some service, to the prejudice of
343
RAND Europe
National Profiles
that person or any other person;
- fraud.
An offence could be committed under s.6 (Making a gain or causing a
loss by deception) of the Criminal Justice (Theft and Fraud Offences)
Act provided that the perpetrator could be shown to have dishonestly
induced another (eg, Facebook) by any deception to do an act (eg,
create the account for him or her) and has done so with the intention
of making a gain for himself or herself or another, or of causing loss to
another.
An offence could also be committed under s.7 (Obtaining a service by
deception) of the Criminal Justice (Theft and Fraud Offences) Act on
the basis that the person claiming the false identity online might also
be said to dishonestly obtaining a service by deception provided it can
be shown that this was done with the intention of making a gain for
himself or herself or another, or of causing loss to another.
An offence could also be committed under s.9 (Unlawful use of a
computer) of the Criminal Justice (Theft and Fraud Offences) Act on
the basis that the creation of the account could be said to involve the
dishonest operation of a computer with the intention of making a gain
for himself or herself or another, or of causing loss to another.
In the case of both s.6 and s.7, evidence of deception is a necessary
ingredient of the offence. It is unclear in Irish law as to whether a
computer can be deceived and it might be difficult therefore to secure
a conviction where the creation of the account does not involve any
human intervention. As there is no such requirement in s.9, this
offence would be more likely to apply.
Case law
available?
The only legal proceedings to be reported (as a result of a report in
The Sunday Times, Irish edition, of February 14, 2010) concerns the
bringing of civil proceedings in relation to a false profile on the Bebo
social networking site: ‘Biker sues Bebo over false profile’ available at
http://www.timesonline.co.uk/tol/news/world/ireland/article7026292.
ece
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Applicable offences would include:
- violation of the Data Protection Act on the basis that this
would involve unlawful processing of personal data;
- offences under the Criminal Justice (Theft and Fraud
Offences) Act including: s.6: Making a gain or causing a loss
by deception; s.7: Obtaining a service by deception; s.9:
344
RAND Europe
National Profiles
Unlawful use of a computer. In the case of ss.6 and 7,
evidence of deception would be necessary and in each case it
would be necessary to show intention to make a gain or cause
a loss;
- unauthorised accessing of data (s.5, Criminal Damage Act) –
assuming the activity involved operating a computer with
intent to access data.
Case law available?
No known case law.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable
Applicable law(s)
Phishing would involve a violation of the Data Protection Act as
it would involve unlawful processing of personal data.
Phishing could also involve an offence under s.6 of the Criminal
Justice (Theft and Fraud Offences) Act: Making a gain or causing
a loss by deception. It could also give rise to an offence under s.9
of the same Act: unlawful use of a computer.
Phishing could also result in prosecution for theft under s.4 of
the Criminal Justice (Theft and Fraud Offences) Act if the
person engaged in the phishing succeeded in appropriating
someone’s property as a result of using information gathered
through phishing.
Case law available?
No known case law.
Using falsified identity documents (identity cards, social security cards or passports)
passports)
to unlawfully apply for social benefits
Applicable law(s)
Section 251 of the Social Welfare (Consolidation) Act 2005
makes it an offence for a person to produce or furnish any
document or information for the purpose of obtaining or
establishing entitlement to any benefit which he or she knows to
be false in a material particular. The penalty on summary
conviction is a maximum fine of €1,500 or a maximum prison
sentence of 6 months or both. On conviction on indictment, the
penalty is a maximum fine of €13,000 or a maximum prison
sentence of 3 years or both.
Case law available?
Though prosecutions for Social Welfare fraud are relatively
common: for example, approximately 380 cases were referred to
the courts in 2009 (Source: Department of Social and Family
Affairs Press Release, December 8, 2009 available at
345
RAND Europe
National Profiles
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email a ddresses to email marketeers)
Applicable law(s)
This would involve a violation of Data Protection Law on the
basis that the personal data would be unlawfully processed
Case law available?
The Data Protection Commissioner has dealt with an inquiry
relating to an offer of the ‘gift’ of a database of names and
addresses that had been made to a charity. The charity asked for
advice from the Commissioner’s office as to whether they could
accept this gift. The Commissioner expressed the view that
acceptance of the gift would involve breaches of the fair obtaining
and compatible processing requirements of the Data Protection
Acts:
Case
Study
No.8
of
1996
available
at:
http://www.dataprotection.ie/viewdoc.asp?Docid=174&Catid=45
&StartDate=1+January+2008&m=c
http://www.welfare.ie/EN/Press/PressReleases/2009/Pages/pr0812
09.aspx) there is no known reported case law.
No known case law can be reported relating to electronic or non-electronic identity theft
(eg, passport forgery, forgery of driving licence or social security number). However, the
following elements should be highlighted:
Passports:
The definition of ‘instrument’ for the purposes of the offences of forgery and using a false
instrument, ss.24 and 25 of the Criminal Justice (Theft and Fraud Offences) Act expressly
includes a passport. A newspaper reported on a successful District Court prosecution of a
woman for using a false passport from another jurisdiction: ‘Woman fined €650 for forged
passport’,
Galway
Advertiser,
March
12,
2009,
available
at:
http://www.advertiser.ie/galway/article/9589
Driving licences
Section 115(4) of the Road Traffic Act 1961 makes it an offence to ‘forge or fraudulently
alter or use, or fraudulently lend to, or allow to be used by, any other person, any licence’.
Forgery of social security number
Section 262(9) of the Social Welfare (Consolidation) Act 2005 makes it an offence to use
another person’s personal public service number. It is also an offence to use or attempt to
use another person’s Public Service Card: s. 263(4).
ID theft reporting mechanisms
346
RAND Europe
National Profiles
No dedicated ID theft reporting mechanisms exist.
The hotline.ie service provides a facility for the public to report suspected illegal content
encountered on the Internet. It is mainly concerned with material such as child
pornography but it appears that it does receive complaints concerning identity theft and
phishing.
These
are
said
to
represent
‘a
small
proportion
http://www.hotline.ie/5threport/documents/Hotline5thRep.pdf
of
reports’:
Personal assessment of the framework for combating ID theft
Regarding the issue whether or not the laws are sufficiently flexible to cover all incidents of
identity theft, the laws appear to be suitable in terms of covering all incidents of ID theft in
Ireland. The Data Protection Commissioner is of the view that ID theft is not a significant
issue in Ireland (Source: email from the Commissioner received on 6/4/2010). The
Commissioner takes the view one reason for this is the absence of a unique national
identity number in widespread use.
For what concerns the application and effectiveness of these laws in practice, the main
challenges include issues relating to detection and the gathering of evidence. The often
cross jurisdictional nature of the problem exacerbates these problems.
Regarding the reporting mechanisms and following up of investigation, there is no
dedicated ID theft reporting mechanism in place. While such a mechanism could be
useful, the establishment of a new reporting mechanism could be a source of confusion to
the public. It might therefore be better to run a public information programme making it
clear that incidents of identity theft should be reported to the Data Protection
Commissioner or, where there is criminal intent, to the police (An Garda Siochána: a
specialist unit within the Garda – the Garda Bureau of Fraud Investigation – which
focuses on serious fraud has, in conjunction with the finance industry and the
Northern Ireland Police Service, issued a guide to fraud prevention which emphasises
the
importance
of
protecting
one’s
identity,
available
at:
http://www.garda.ie/Documents/User/IBF_Fraud_Prevention_Brochure_19102009.p
df).
The institution of a mechanism for the online reporting of ID theft involving criminal
intent via the Garda website could be explored.
347
RAND Europe
National Profiles
Italy
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Italy that focuses explicitly and directly on ID theft
as a specific crime, or that defines such crime comprehensively. Currently, ID theft-related
crimes, in their various expressions, are contrasted through the general provisions below
listed. No such legislation is currently under evaluation or definition. The policy emphasis
in on improving awareness of such crime among citizens and on law enforcements bodies.
Other laws that may apply to ID theft incidents
Privacy and data protection
Relevant law
Legislative Decree n.196, 30 June 2003 – Code of protection
of personal data
Reference
http://www.garanteprivacy.it/garante/document?ID=1219452
Main
provisions
relation to ID theft
in The Code of protection of personal data, creating a public
body to overview the system and to be appealed for civil
rights appeal (Garante), regulates proper privacy protection
policy and diligence, obligations for data acquisition, storage
and treatment, sanctions for breach and violation of the main
provisions, mostly:
•
•
•
Section 11 – regulates the processing arrangement
and data quality, calling for due compliance to
standards of transparency and quality in data
collection and storage,
Section 13 – regulates the standards for information
to data subjects, with particular emphasis on the
obligatory or voluntary nature of providing the
requested data, and the obligations to inform
promptly, transparently and directly the purpose and
modalities of eventual data dissemination and / or
sharing,
Section 16 – describing obligations for data storage
termination and, in particular, the duty to destroy
any personal or professional ID database, especially if
related to commercial use. The transfer or acquisition
of the database shall be part of a compliant and
detailed communication to data subjects, and the
348
RAND Europe
National Profiles
Prescribed sanction
-
-
-
-
whole procedure of disclosure, data treatment
consensus and treatment shall be re-activated,
• Section 20 – Principles applying to the processing of
sensitive data: Processing of sensitive data by public
bodies shall only be allowed where it is expressly
authorised by a law specifying the categories of data
that may be processed and the categories of operation
that may be performed as well as the substantial
public interest pursue. Sensitive data may only be
processed with the data subject’s written consent and
the Garante’s prior authorisation, by complying with
the prerequisites and limitations set out in this Code
as well as in laws and regulations.
• Section 30 - Processing operations may only be
performed by persons in charge of the processing that
act under the direct authority of either the data
controller or the data processor by complying with
the instructions received.
termination of processing operations: fine between 10.000
and 60.000 euros. If the breach is made for personal
enrichment: between 6 and 18 months imprisonment
unlawful personal data treatment: fine between 10.000
and 120.000 euros (50.000 to 300.000 for mass
database). If the breach is made for personal enrichment:
between 6 and 24 months imprisonment
unlawful data dissemination: for personal imprisonment
or if the breach causes serious harm to reputation: 1 to 3
years imprisonment
unlawful data storage: fine between 10.000 and 50.000
euros (doubled for mass databases)
incomplete information and notification: fine between
20.000 and 120.000 euros (4 times-increase for mass
databases)
Communication secrecy
Relevant law
Italian Constitution; Code of criminal procedure; Code of conduct
for telecommunications (and the related Authority’s overview
procedures)
Reference
http://www.lectlaw.com/files/int03.htm
http://www.servat.unibe.ch/icl/it00000_.html
http://www.agcom.it/ (in Italian)
349
RAND Europe
National Profiles
Main provisions in The explicit guarantee provided by the Italian Constitution (art.
relation to ID theft
15), citing the secrecy of communication as a fundamental right of
all citizens and in all forms of communication, has direct
consequences on law provision, assuming that secrecy applies to all
domains of communication and thus only describing the cases and
aspects where an exception to the is allowed or tolerated in terms of
listening, recording, tapping and storing any communication.
Any limit to the Constitutional provision shall thus be explicitly
authorized by a judge or a judicial part, for purpose of criminal
proceeding or law enforcement. Judicial police is the only public
body activated and allowed to practically violate the secrecy of
communication right.
Article 266 of the Italian criminal code provides full discipline of
authorization and use of data in case of listening, tapping, storing
and interfering with any kind of private communication. The cases
allowed for this procedure are:
intentional crimes
crimes against the Public Administration
drugs-related crimes
terrorism-related crimes
stalking, mobbing or persecution through
communication means
If any violation is to be made in personal residence of professional
main address, it must be justified by the reasonable suspect that the
criminal intent and / or activity is based in the perimeter of personal
spaces.
-
The judge can only allow tapping or listening through electronic
devices if (art. 267 of Criminal code):
he meets serious crime evidences
tapping / listening / intrusion in personal
communication (emails and similar) is the
only mean for a reasonably positive
conclusion of inquiry
The maximum timeframe is 15 days, exceeding to 30 if necessary.
-
In case of terrorism or criminal organizations (mafia-related) crime,
art. 13 of Law 203 / 1991 provides the framework for exception to
art. 267:
-
350
listening / tapping is automatically
considered as an indispensable mean, thus
not compelling any pre-emptive
evaluation
RAND Europe
National Profiles
the judge can authorize it while meeting
enough crime evidence (and not ‘serious
crime evidence’)
- intrusion in personal residence and spaces
can be allowed with reasonable evidence
about the spaces where the crime is being
plotted
- The maximum duration is 20 days,
exceeding up to 40 days
Articles 266 – 271 of the Italian criminal law, as amended
by Law Decree n.259 (2006): there is a certain degree of
homogeneity in terms of sanctions for crimes related to
violation of communication secrecy (6 months to 4 years
imprisonment, besides damages that the victim might ask
in a civil proceedings). The sanction is raised up to 1 to 5
years if the crime is committed by a public officer
Article 617 quinquies (installation of electronic devices for
communication alteration and/or tapping): 1 to 4 years
imprisonment (up to 5 years if the crime is committed by a
public officer)
Article 618 (revelation of personal correspondence): 1 to 6
months imprisonment; 103 to 516 euros fine
-
Prescribed sanction
•
•
•
Internet Fraud
Relevant law
Criminal Code
Reference
http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm
Main provisions in No specific provision in Italian legal system. Possible extensive
relation to ID theft
application of Article 640 ter of the Italian Criminal code
(Electronic Fraud)
Prescribed sanction
- 6 months to 3 years imprisonment; between 51 and 1.032 euros
fine
- 1 to 5 years imprisonment and a fine between 309 and 1.549
euros if the crime is committed by a public officer
Forgery (offline)
Relevant law
Criminal Code
Reference
http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm
Main provisions in There is a specific provision in the Italian criminal code. Article 497
relation to ID theft
bis (forgery and counterfeiting of personal and ID docs) is
considered a crime. Also any alteration of pre-existing documents is
351
RAND Europe
National Profiles
specifically treated in the code (art. 495ter). A particular provision is
devoted to alteration or forgery of documents, replicating police and
security forces badges and / our distinctive signs (art. 497ter)
Prescribed sanction
- 1 to 4 years imprisonment for ‘possession’; 16 to 64 months
imprisonment for ‘forgery of false documents’
- 1 to 6 years imprisonment for alteration of official ID and status
documents (study or professional certificates)
Forgery (online)
Relevant law
Criminal Code
Reference
http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm
Main provisions in No specific provision. Article 617 sexies of Criminal code
relation to ID theft
encompasses crimes relating to falsification, duplication, alteration
of electronic communication and data. Criminal intent is a
necessary pre-requisite to envisage a crime; any unintentional
violation is considered an administrative crime and is treated as such
in courthouses, impelling a fine to the offended person, as a
proportion of the violation received.
Prescribed sanction
1 to 4 years imprisonment
Application in practice
Hacking
Relevant law
Criminal Code
Reference
Reference
http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm
Main provisions in It is treated as an extension to the main provisions listed above, for
relation to ID theft
the general purpose of guaranteeing secrecy of communication. The
Budapest Convention on Cybercrime, being Italy a first-time
partner, has updated some provisions, and especially article 615
quinquies of the Italian Criminal Code, referring to the abuse in
access to electronic database or computer systems for purpose of
interrupting a system, stealing data, hacking a system.
Prescribed sanction
Case law available?
- Up to 2 years imprisonment
- Up to 10.329 euros fine
With sentence n. 37322 (dated 8 July 2008), the Italian highest
Court has condemned a man, being previously a partner in a law
firm, for illegal intrusion into his partner computer system. This
latter had been moved to another office, and had created a new legal
firm, as a consequence of internal dispute between the two partners.
352
RAND Europe
National Profiles
The Court has recognized the application of article 615 quinquies
of the Criminal code, as amended by the provisions of the Budapest
Convention.
Cybercrime (ID online theft)
Relevant law
Criminal Code
Reference
http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm
Main provisions in No specific provision in the Italian legislation, As an extension, the
relation
relation to ID theft Italia judicial system has historically applied the provision of article
494 of the Criminal code, dealing with substitution (both online
and offline) of personal identity.
Prescribed sanction
Case law available?
- Up to 1 year imprisonment
In 2008, the Italian Group ‘Poste Italiane’ (Italian Post Company)
and one of the major banking and financial institutions (Banca
Intesa) have been at the core of a cyber attack with the scope of
stealing identities of customers and their account details, in order to
then proceed to criminal use of identity data to be used in
traditional homebanking systems. The court has recognized the new
species of crime and has appealed to a variety of legal provisions.
The main reference has been exactly art. 494 of the Criminal code,
calling for the intent of criminals to use false ID to get in touch
with the companies’ electronic systems and steal money.
Judges have of course appealed also to the listed articles 617 sexies
of Criminal code (falsification or alteration of electronic
communication data), article 640 of the Criminal code (fraud),
article 615 ter of the Criminal code (abuse and intrusion into
electronic systems) and art. 12 of the Italian Law n. 197 (dated 5
July 1991), on abuse in use of credit cards and payment
instruments.
Phishing
Relevant law
Criminal Code; Law 15 July 1991 n. 197
Reference
http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm
Main provisions in There is no specific legislation on phishing. As an extension, the
relation
relat ion to ID theft judicial system has historically applied the already mentioned article
617 sexies of the Criminal Code (falsification and manipulation of
electronic communications) and art. 640 ter, Criminal Code (fraud)
Prescribed sanction
- 6 months to 3 years imprisonment; between 51 and 1.032 euros
353
RAND Europe
National Profiles
fine
- 1 to 5 years imprisonment and a fine between 309 and 1.549
euros if the crime is committed by a public officer
- 1 to 4 years imprisonment (1 to 5 years if the crime is committed
by an administrator or public officer)
Case law available?
Cases are very recent and definitely concentrated on the so-called
‘sms phishing’ (or SMishing). The first sentence was provided by
the Milan Courthouse in 2007, for a fraud related to phishing
through mobile phones. The criminal network asked for sms
receivers to immediately provide PIN security extremes for their
bank account, if related to a credit card. The sms sender was
definitely the credit card company. The judge has sanctioned this
crime, appealing to article 617 sexies of Criminal code, with 2 years
and 8 months imprisonment, a 1.000 euros fine and 10.000 euros
compensation for image damage.
As for online phishing, the first and most relevant case involves the
Italian group ‘Poste Italiane’, listed by statistics as the preferred ‘fake
referent’ of phishing victims. In 2008 a Courthouse has condemned
a 24-year old boy for ‘manipulation of electronic communication
for the purpose of fraud’ to 1 year and 8 months imprisonment.
ID theft reporting mechanisms
Polizia Postale e delle comunicazioni (TLC and Postal Police): the specialized police
branch in prevention of cyber crimes and investigation for electronic crimes, prevention of
hacking, secrecy of communication and the fight to online pedo-pornography. It operates
through 20 regional offices and an electronic window for reporting crimes:
poltel.XX(province)@poliziadistato.it
It also operates through the main police emergency number 112.
•
•
•
•
Commissariato online (online police office): the most recent and state-of-the art
reporting
mechanism.
Through
an
electronic
window
(http://www.commissariatodips.it/) crimes can be reported directly and with
instant opening of a crime report
CNAIPIC (Anti – cyber crime Centre for National Infrastructures Protection):
highly specialized cell of the Italian Police, to prevent and deter cyber threats. An
operational window is open 24/24 – 7/7.
Nucleo Frodi Telematiche Guardia di Finanza (Fiscal police cell for cyber frauds):
highly specialized group to prevent id theft, cyber fraud, forgery, electronic crimes
Adiconsum and other consumers’ rights protection: for frauds and ID theft, they
promote class actions among consumers. They have toll free numbers and are
reachable at given time ranges during the week.
354
RAND Europe
National Profiles
Personal assessment of the framework for combating ID theft
Identity Theft and Fraud cases in Italy have been raising in the last years with a growth of
32 percent in 2007 and 11 percent in 2008, for a total amount of 145 millions of Euros
in 2008 161, not including ATM-related frauds, that by the way counts average 500
millions of Euros in Europe within a +148 percent growth rate compared to previous
year162.
Victims
There were 25.000 victims of identity theft in 2008 in Italy.
70 Italian consumers have already been victimized by identity theft every day.
Identikit of Victims:
Victims men 30/40 years old, living in Campania, Sicilia,
Lombardia, Lazio or Puglia, mainly freelancer.
Discovery
69 percent discover someone has stolen their identity after six months,
months while 22
percent of victims don't learn that their identity has been stolen for two or more
years
37 percent of consumers check their credit card reports.
The information used to commit identity theft is: in 36 percent of cases the
home address,
address in 30 percent of cases personal data and finally lost or stolen
documents.
It can take up to 1.525 days (36.600 hours) to discover the theft, but the average
victim will discover
discover it in around 206 days (4.944 hours)
Hotels as well are listed among the major targets for digital criminals: among
those ‘destinations for intruders’ listed in 2009, 38 percent goes to hotels’
hacking, more than the financial industry (19 percent) and retails
retails industries
(14.2 percent) combined163.
Recovery
The average victim spends 672 hours (1 month) repairing the damage. There is
an important percentage of people (29 percent) who are not aware and find it
impossible to know how long it takes to repair all the damage caused.
Victims have recognised that insecurity and fear (37 percent)
percent) and the loss of
time (25 percent)
percent ) are amongst the most important after-effects and are very
difficult to repair.
Victims of ID theft don’t’ know exactly what to do to solve the problem (58
percent);
percent only 21 percent of the victims consider that reporting to the police
could help; another 14 percent thought that calling their bank could be a solution
and engaging a lawyer could help 7 percent of the victims.
Costs
161
source: CRIF report 2009
162
source: ENISA ATM Crime Report 2009, www.enisa.europa.eu
163
Source: http://www.ciozone.com/index.php/Security/Hackers-Lurking-in-Hotel-Networks.html, from the
TrustWave Survey
355
RAND Europe
National Profiles
In 2008, existing Identity fraud in Italy totalled 145 million € (30 percent
increase over 2007 figures). The average fraud amount is 5.300 €
From a general perspective, the Italian legislation to prevent and punish ID theft and other
cyber-related crimes is in quick and growing evolution. Within the framework of European
cooperation, Italy is updating most of its civil and criminal provisions to fight such
phenomena.
Currently, two main vacuum emerge from the previous analysis:
there is no specific provisions and codification for false ID (online) and
for identity theft, when used for criminal purposes. One of the existing
provisions applied by judges is referring to art. 494 of the Italian criminal
law (namely: ‘substitution of person’). The sanctions are then related to
this kind of crime, thus not exactly conveying the potential effects of new
cybercrimes in terms of harm and reputation of the offended / victim;
Phishing: no consolidated legislation. In some most recent decisions made
by civil courts, judges have been forced to appeal to several articles and
chapters of the Civil and Criminal Code, with varying interpretations of
sanctions.
Furthermore, there is a divisive political debate involving the Italian Parliament and social
actors about a potential reform of the law on secrecy of communications (mainly based on
wiretapping procedures and guarantees). It is highly probable that the law will change very
soon, implying a more restrictive interpretation of procedures to authorize wiretapping and
harsher sanctions for people violating data protection (especially in terms of news leaks).
-
356
RAND Europe
National Profiles
Japan
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Japan that focuses explicitly on ID theft as a specific
crime, or that defines such a crime. In practice, ID theft incidents are combated using the
general provisions below (in relation to personal data protection, fraud, etc.).
No such legislation is currently under consideration to our knowledge. Instead, the policy
emphasis in Japan is more on improving awareness of ID theft risks with potential victims
and law enforcement bodies.
Other laws that may apply to ID theft incidents
Data protection laws–
laws– Protection of Personal Information Held by Administrative
Organs
Relevant law
Act on the Protection of Personal Information Held by
Administrative Organs (Act No. 58 of May 30, 2003) /
Gyoseikikan no hoyusuru kojinjoho no hogo ni kansuru horitsu）
Reference
See http://law.e-gov.go.jp/htmldata/H15/H15HO058.html
Main provisions in Article 54 of this Act forbids a person prescribed in the article 53
relation
who provides another person with or appropriates the Retained
relation to ID theft
Personal Information that he or she acquired with respect to his
or her work for making illicit gain for himself or herself or for a
third party.
A Person of Article 53 is an employee or former employee of an
Administrative Organ or an individual or a business operator
entrusted by an Administrative Organ with the handling of
Personal Information engaged in or formerly engaged in the
entrusted affairs under Article 6, paragraph 2.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with imprisonment with work for not more than one
year or a fine of not more than 500,000 yen.
Data protection laws－
Protection of Personal Information Held by Independent
Administrative Agencies, etc
357
RAND Europe
National Profiles
Relevant law
Act on the Protection of Personal Information Held by
Independent Administrative Agencies, etc. (Act No. 59 of 2003)
/ Dokuritsugyoseihoujintou no hoyusuru kojinjoho no hogonikansuru
horitsu）
Reference
See http://law.e-gov.go.jp/htmldata/H15/H15HO059.html
Main provisions in Article 51 of this Act forbids a person prescribed in the article 50
relation to ID theft
who provides another person with or appropriates the Retained
Personal Information that he or she acquired with respect to his
or her work for making illicit gain for himself or herself or for a
third party.
A Person of Article 53 is an employee or former employee of an
Independent Administrative Agencies or an individual or a
business operator entrusted by an Administrative Organ with the
handling of Personal Information engaged in or formerly engaged
in the entrusted affairs under Article 7, paragraph 2.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with imprisonment with work for not more than one
year or a fine of not more than 500,000 yen.
Data protection laws－
Protection of Family Registration
Relevant
Relevant law
Family Registration Act (Act No. 224 of December 22, 1947) /
Kosekiho）
Reference
See http://law.e-gov.go.jp/htmldata/S22/S22HO224.html
Main provisions in Article 132 of this Act forbids a false report about the matter
relation to ID theft
which does not need mention of the family register or a record.
And this article forbids a false report about the matter on the
foreigner.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with imprisonment with work for not more than one
year or a fine of not more than 200,000 yen.
Data protection laws－
Protection of Residential Basic Book
Relevant law
Residential Basic Book Act (Act No.81 of July 25, 1967) /
Juminkihondaichoho）
Reference
See http://law.e-gov.go.jp/htmldata/S42/S42HO081.html
Main provisions in Article 47 paragraph(1) item(ii) of this Act forbids the next act.
358
RAND Europe
relation to ID theft
National Profiles
by deceit or other wrongful means.
Receive the copy of the certificate of residence or the certificate
of registered matters of the certificate of residence to prescribe
from Article 12 to Article 12-3.
Receive the copy of the certificate of residence to prescribe to
Article 12-4.
Receive the copy of the appendix table of the family registration
to prescribe in Article 20.
Receive the Basic Resident Register card to prescribe to Article
30-44.
Prescribed sanction
sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with a fine of not more than 300,000 yen.
Data protection laws－
Protection of passport
Relevant law
Passport Act (Act No.267 of November 28, 1951) / Ryokenho）
Reference
See http://law.e-gov.go.jp/htmldata/S26/S26HO267.html
Main provisions in Article 23 paragraph(1) item(i) of this Act forbids that an act of
relation to ID theft
the listing the falsehood in documents about the application
based on this law or the request and others injustice resemble it
and receives the grant of connections application concerned or a
passport modifying request or the voyage book.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with imprisonment with work for not more than 5
year or a fine of not more than 3,000,000 yen.
Data protection laws－
Protection of driver's license
Relevant law
Road Traffic Act (Act No.105 of June 25, 1960) / Dorokotsuho）
Reference
See http://law.e-gov.go.jp/htmldata/S35/S35HO105.html
Main provisions in Article 117-4 paragraph(1) item(iv) of this Act forbids receiving
relation to ID theft
the grant of a driver's license or the overseas driver's license by
means of false other injustice.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with imprisonment with work for not more than one
year or a fine of not more than 300,000 yen.
359
RAND Europe
National Profiles
Data protection laws－
Protection of the person oneself
oneself confirmation information of
the financial institution
Relevant law
Act on Prevention of Transfer of Criminal Proceeds(Act No.22
of March 31, 2007) / Hanzai ni yoru syueki no itenboushi ni
kansuru horitsu）
Reference
See http://law.e-gov.go.jp/htmldata/H19/H19HO022.html
Main provisions in Article 26 of this Act forbids following person:
relation to ID theft
• §1: A person who has, in the guise of another person,
with the intention of receiving the services pertaining to
a deposit/savings contract with a specified business
operator (limited to those listed in Article 2, paragraph
2, items (i) to (xv) and item (xxxiii); hereinafter the same
shall apply in this Article) or having a third party receive
such services, received the assignment, delivery or
provision of the deposit/savings passbook, the
deposit/savings withdrawal card, the information
necessary for deposit/savings withdrawal or transfer or
other items specified by a Cabinet Order as necessary for
receiving the services pertaining to a deposit/savings
contract with a specified business operator (hereinafter
referred to as a ‘deposit/savings passbook, etc.’) shall be
punished. The same shall apply to a person who has
received the assignment, delivery or provision of a
deposit/savings passbook, etc. for value without
justifiable reasons such that the assignment, delivery or
provision accompanies an ordinary commercial
transaction or financial transaction.
•
§2: The preceding paragraph shall also apply to a person
who has assigned, delivered or provided a deposit/savings
passbook, etc. to another person for value while knowing
that such other person has the intention prescribed in
the first sentence of the same paragraph. The same shall
apply to a person who has assigned, delivered or
provided a deposit/savings passbook, etc. for value
without justifiable reasons such that the assignment,
delivery or provision accompanies an ordinary
commercial transaction or financial transaction.
•
§3: A person who has committed, as a business , the
crime prescribed in any of the preceding two paragraphs
shall be punished.
•
§4: §1 shall also apply to a person who has solicited
360
RAND Europe
National Profiles
people or induced people by advertising or other similar
methods to commit the crime prescribed in paragraph 1
or paragraph 2.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of §1 and 2, 4 can be criminally sanctioned
with a fine of not more than 500,000 yen.
•
Violations of §3 can be criminally sanctioned with
imprisonment with work for not more than 2 years or a
fine of not more than 3,000,000 yen, or both.
Communications secrecy laws
Relevant law
Act on Electronic Signatures and Certification Business (Act No.
102 of May 31, 2000) /Denshisyomei oyobi ninshogyomuni
kansuru horitsu）
Reference
See http://law.e-gov.go.jp/htmldata/H12/H12HO102.html
Main provisions in Article 41 of this Act forbids Any person who makes a false
relation to ID theft
application and causes the Accredited Certification Business
Operator or the Accredited Foreign Certification Business
Operator to perform false certification on the User, with respect
to the Certification Business pertaining to the accreditation.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with an imprisonment for not more than three 3 years
or a fine of not more than 2,000,000 yen.
Fraud
Relevant law
Penal Code (Act No. 45 of April 24, 1907) ( / Keiho)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Fraud in general is punished by Article 246 of the Penal Code.
relation to ID theft
This article sanctions any act of using deception (including use of
false names or titles, or any other type of deceptive manipulation
or abuse of good faith or credulity) with a view of appropriating
someone else’s property. This would apply to any ID theft
incidents involving the use of a falsified identity to appropriate
property.
Prescribed sanction
sanction
Apart from damages that the victim may receive in civil
proceedings, violations of article 246 can be criminally
sanctioned with imprisonment with work for not more than 10
361
RAND Europe
National Profiles
years.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
document)
Relevant law
Penal Code (Act No. 45 of April 24, 1907) ( / Keiho)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Forgery is punished by Article 154 and following of the Penal
relation to ID theft
Code, including particularly:
•
Art. 155: A person who , for the purpose of uttering,
counterfeits a document or drawing to be made by a
public office or a public officer or who alters a document
or drawing which has been made by a public office or a
public officer shall be punished;
•
Art. 157(1): A person, who makes a false statement
before a public officer and thereby causes the official to
make a false entry in the original of a notarized deed,
such as the registry or family registry, relating to rights or
duties or to create a false record on the electromagnetic
record to be used as the original of a notarized deed
relating to rights or duties, shall be punished.
(2): A person, who makes a false statement
before a public officer and thereby causes the official to
make a false entry in a license, permit or passport, shall
be punished;
•
Prescribed sanction
Art. 159: A person who counterfeits or alters a document
or picture relating to rights, duties or certification of
facts shall be punished falsifying passports or other
identity documents or intentionally using such
documents.
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 155 (When case using the seal or
signature of a public office or a public officer) can be
criminally sanctioned with imprisonment between 1 and
10 years. (When case that does not use the seal or
signature of a public office or a public officer) can be
criminally sanctioned with imprisonment with work for
not more than 3 years or a fine of not more than
200,000 yen.
•
Violations of article 157 (1) can be criminally sanctioned
with imprisonment with work for not more than 5 years
362
RAND Europe
National Profiles
or a fine of not more than 500,000 yen. (2) can be
criminally sanctioned with imprisonment with work for
not more than 1 years or a fine of not more than
200,000 yen.
•
Violations of article 159 (The case using the seal or
signature of another) can be criminally sanctioned with
imprisonment with work for not less than 3 months but
not more than 5 years. (The case that does not use the
seal or signature of another) can be criminally sanctioned
with imprisonment with work for not more than 1 year
or a fine of not more than 100,000 yen.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Act on the Prohibition of Unauthorized Computer Access (Act
No. 128 of August 13, 1999) (Fuseiakusesukoui no kinshito ni
kansuru horitsu)
Reference
See http://law.e-gov.go.jp/htmldata/H11/H11HO128.html
Main provisions in Illegal access to information systems is punished by Article 8 of
relation to ID theft
Act on the Prohibition of Unauthorized Computer Access,
including particularly:
•
(1): accessing a computer through telecommunications
network without authorization using ID and the
password etc, of another person (an identification code);
•
(2): Accessing a computer through telecommunications
network without authorization using in-formation or an
order (except the identification code) that can avoid
restrictions by the access control function;
•
(3): Accessing a computer through telecommunications
network without authorization attacking a security hole.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, or to steal credentials from such a system.
Prescribed
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of article 8 shall be punished by
imprisonment with work for not more than 1 year or a fine of
not more than 200,000 yen.
Cybercrime – illegal data interference
Relevant law
Penal Code (Act No. 45 of April 24, 1907) (Keiho)
363
RAND Europe
Reference
National Profiles
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Illegal data interference is punished by Article 234-2 and 258,
relation to ID theft
259 of the Penal Code, including particularly:
•
Art. 234-2: A person who obstructs the business of
another by interfering with the operation of a computer
utilized for the business of the other or by causing such
computer to operate counter to the purpose of such
utilization by damaging such computer or any
electromagnetic record used by such computer, by
inputting false data or giving unauthorized commands or
by any other means, shall be punished.
•
Art. 258: A person who damages a document or an
electromagnetic record in use by a public office shall be
punished.
•
Art. 259: A person who damages a document or
electromagnetic record of another that concerns rights or
duties shall be punished.
•
§4: producing, owning or distributing any devices
(including
software
or
data
such
as
usernames/passwords) which were primarily designed or
modified to commit the aforementioned crimes,
knowing that these could be used to damage data or to
disrupt the functioning of an information system.
This would apply to any ID theft incidents involving the
falsifying of identity information stored in an information
system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of Art. 234-2 can be criminally sanctioned
with imprisonment with work for not more than 5 years
or a fine of not more than 1,000,000 yen.
•
Violations of Art. 258 can be criminally sanctioned with
imprisonment with work for not less than 3 months but
not more than 7 years.
•
Violations of Art. 259 can be criminally sanctioned with
imprisonment with work for not more than 5 years.
Cybercrime – computercomputer-related forgery
Relevant law
Penal Code (Act No. 45 of April 24, 1907) (Keiho)
364
RAND Europe
Reference
National Profiles
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Computer-related forgery is punished by Article 161-2 and 163-2
relation to ID theft
and following of the Penal Code, including particularly:
theft
•
Art. 161-2 (1): A person who, with the intent to bring
about improper administration of the matters of another
person, unlawfully creates without due authorization an
electromagnetic record which is for use in such improper
administration and is related to rights, duties or
certification of facts, shall be punished.
•
Art. 161-2 (2): When the crime prescribed under the
preceding paragraph is committed in relation to an
electromagnetic record to be created by a public office or
a public officer, the offender shall be punished.
•
Art. 163-2: A person who, for the purpose prescribed for
in paragraph (1) of the preceding paragraph, possesses
the card prescribed for in paragraph (3) of the same
paragraph, shall be punished.
•
Art. 163-4(1): A person who, for the purpose of use in
for the commission of a criminal act prescribed for in
paragraph (1) of Article 163-2, obtains information for
the electromagnetic record prescribed for in the same
paragraph, shall be punished.
Art. 161-2 would apply to, for example, any ID theft incidents
involving the use of false identity information in an information
system to change its legal impact (eg, changing the name of the
holder of a bank account, or performing banking transactions
under someone else’s name).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of Art. 161-2 (1) can be criminally sanctioned
with imprisonment with work for not more than 5 years
or a fine of not more than 500,000 yen.
•
Violations of Art. 161-2 (2) can be criminally sanctioned
with imprisonment with work for not more than 10
years or a fine of not more than 1,000,000 yen.
•
Violations of Art. 163-2 can be criminally sanctioned
with imprisonment with work for not more than 5 years
or a fine of not more than 500,000 yen.
•
Violations of Art. 163-4 (1) can be criminally sanctioned
with imprisonment with work for not more than 3 years
365
RAND Europe
National Profiles
or a fine of not more than 500,000 yen.
Cybercrime – computercomputer-related fraud
Relevant law
Penal Code (Act No. 45 of April 24, 1907) (Keiho)
Reference
See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801
Main provisions in Computer-related fraud is punished by Article 246-2 of the Penal
relation to ID theft
Code.
In addition to the provisions of Article 246, a person who obtains
or causes another to obtain a profit by creating a false
electromagnetic record relating to acquisition, loss or alteration
of property rights by inputting false data or giving unauthorized
commands to a computer utilized for the business of another, or
by putting a false electromagnetic record relating to acquisition,
loss or alteration of property rights into use for the
administration of the matters of another shall be punished.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of Art. 246-2 can be criminally
sanctioned with imprisonment with work for not more than 10
years.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- forgery and/or computer-related forgery, if the forgery changed
the legal impact of the information;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property.
Case law available?
Yes.
In 1997, the Kyoto District Court did judgment about the case
that changed addresses of another person who was registered on
host computer of the PC communication to avoid detection of
the fraud that the defendant performed with another person
name with bulletin board system of the PC communication
without permission.
The court concluded it as follows.
1. When the defendant forges an ordinary deposit account
366
RAND Europe
National Profiles
establishment application in the name of another person and sent
it to the bank, a forgery of a private document, use punishment is
established to the defendant.
2. When the defendant transmits false information to a PC
carrier with a PC of the self and let you change addresses of
another person who you do the company's person in charge who
does not know the feeling, and was registered on a host computer
of the company without permission, I electromagnetic record
injustice construction in an overhanging style punishment is
established to the defendant.
The defendant was given sentence of 2 years in prison with a stay
of execution for 3 years with the probation.
A copy of the decision can be found here:
http://www.isc.meiji.ac.jp/~sumwel_h/doc/juris/kdcj-h9-5-9.htm
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how the
credentials were used:
- violation of the data protection act, since the credentials are likely
to be considered personal data which is being unlawfully processed;
- violation of communication secrecy laws, if use of the credentials
can be qualified as unlawful access to data related to electronic
communication (eg, to make bank transfers);
- fraud and/or computer-related fraud, if falsified messages were sent
to unlawfully appropriate property;
- unauthorized access to information systems, if the credentials were
used to access a system without authorisation.
Case law
available?
Yes.
In 2004, the Supreme Court judged the fraud when the defendant
pretended to be a holder of a title deed and used a credit card.
In 2006, the Supreme Court judged the computer fraud when the
defendant input the names of the holder of a title deed of the credit
card which he stole into a computer and purchased electronic
money.
In 2007, the Supreme Court judged the unauthorized access when
the defendant steals ID and a password of another person and uses it
illegally, and the Supreme Court judged Unauthorized Creation of
367
RAND Europe
National Profiles
Electromagnetic Records when he changes a password illegally.
A copy of the decision of 2004 case can be found here:
http://www.courts.go.jp/hanrei/pdf/js_20100319115338769000.pd
f
A copy of the decision of 2006 case can be found here:
http://www.courts.go.jp/hanrei/pdf/js_20100319115528940656.pd
f
A copy of the decision of 2007 case can be found here:
http://www.courts.go.jp/hanrei/pdf/20070810153918.pdf
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicabl
e law(s)
The act of phishing itself (independent from what the perpetrator would do
with the stolen information) would likely be:
- a violation of the data protection act, since the credentials are likely to be
considered personal data which is being unlawfully processed;
- fraud and/or computer-related fraud, if falsified messages were sent to
unlawfully appropriate property;
- illegal data interference, if the act of phishing involved entering, changing or
deleting information in an information system without authorisation (eg, in
order to falsify a website).
- unauthorized access to information systems, if the credentials were used to
access a system without authorisation.
Case law Yes.
available?
In 2008, the Kyoto District Court ordered 3 years 6 months jail term and
fine 1,000,000 yen for the defendant who committed fraud and an
unauthorized creation of electromagnetic records, unauthorized access using
the personal information of another person whom he got by Phishing.
A copy of the decision can be found here:
http://www.lli-hanrei.com/cgibin/eoc/hanreibodyctl.cgi?DOC=/docs/HANREI/HSRD0/6350/06350106.
html
Using spyware to obtain identity information (eg,
(eg, installing a computer programme
that records which usernames and passwords are used and communicates these to a
hacker)
368
RAND Europe
Applicable law(s)
National Profiles
The act of using the spyware itself (independent from what the
perpetrator would do with the stolen information) would likely
be:
- unauthorized access to information systems, if the credentials
were used to access a system without authorisation.
- a violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system
without authorisation.
Case law available?
Yes.
In 2003, the Tokyo District Court ordered 4 years jail term for
the defendant on the charge of computer fraud and an
unauthorized creation of electromagnetic records, unauthorized
access etc. in the following case.
The defendant set a keylogger (keystroke-logging software) to the
personal computer which was accessible to the Internet put in the
Internet cafe and he obtained user ID / password (identification
code) of another person. And then he accessed the server
computer of the credit card company using the identification
code which obtained illegally and he stored the false information
of a victim having changed the address. And he pretended to be a
victim and ripped off a PC by an Internet mail order and did it.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- unauthorized access to information systems, if the credentials
were used to access a system without authorisation.
- violation of penal code, If the person who obtained personal
information does a spoofing attack using the information
concerned and threatens victim, he/she is charged in a forgery or
intimidation, extortion etc.
369
RAND Europe
Case law available?
National Profiles
Yes.
In 2004, by the following cases, the Tokyo District Court
sentenced defendant A by attempts of extortion for sentence of 2
years in prison with a stay of execution for 4 years and defendant
B by unauthorized access and accessoryship on attempts of
extortion for sentence of 2 years and 6 months in prison with a
stay of execution for 5 years.
When defendant A obtained the customer information that
defendant B of the co-operator hacked the server computer of the
ITC-related company and snitched, he threatened the person in
charge of the ITC-related company. But it ended in an attempt.
ID theft reporting mechanisms
ID theft reporting site
In Japan, any reporting mechanisms focused on on-line and offline identity theft no exist.
And sites dedicated exclusively to identity theft do not exist. In addition, such a website is
not planned. Or it is not known outside even if such a website is planned.
However the National Police Agency performs an example search of Phishing and the
unauthorized access and the introduction of the consultation services in a website called
‘National Police Agency, Internet safety and security consultation(keisatsucho intanetto
anzenn anshin soudan)’ (http://www.npa.go.jp/cybersafety/).
Other sites
Several other sites play a mainly informative role with respect to ID theft, including
notably:
•
The
web
site
of
Ministry
of
Foreign
Affairs
(http://www.mofa.go.jp/mofaj/toko/passport/higairei.html) throw out the caveat
that ‘damage of the passport acquisition by the loss or theft of the passport or the
spoofing attack is taking place at home and abroad’ on November 24, 2009. And a
victim introduces a method to let a passport lapse when he/she lose or encounter
theft a passport.
•
CYBERCRIME PROJECT (http://www.npa.go.jp/cyber/) is a website managed by
the National Police Agency. This site carries precaution and ways of coping on the
cybercrime and the cybercrime measures that the National Police Agency
promotes. In this site, the NPA carries statistics such as the arrest situation and
the consultation acceptance situation of the cybercrime. And this site carries the
research report about cybercrime measures carrying out in an organization
370
RAND Europe
National Profiles
including the National Police Agency concerned. In addition, this site carries
the website that serves as a reference on carrying out cybercrime measures.
•
@police(http://www.npa.go.jp/cyberpolice/) is a website managed by the NPA.
This site is Internet security Portal Site that is intended to prevent cyber crime
and cyber terrorism, and keep them from spreading, by quickly providing
information gathered by the police on information security to Internet users, and
increasing security awareness.
•
Information-Technology Promotion Agency, Japan (http://www.ipa.go.jp/)
undertakes activities in four principal fields that form the pillars of our operations:
IT Security, Software Engineering, IT Human Resources Development and Open
Software. IPA accept a report of the damage information of the unauthorized
access from the information industry, the information section of the company,
personal users widely and grasp the actual situation of damage of the unauthorized
access, and enlightens the prevention.
•
Internet Hotline Center JAPAN (http://www.internethotline.jp/index.html) is
information addressee of the illegal harmful information (that undertake and
mediate, induce an illegal act directly and explicitly) in the Internet in Japan.
Counterfeiting of official documents is also included in an object in illegal harmful
information. This site started to management on June 1, 2006. As a result of
having analyzed reported information, this site reports to the National Police
Agency if they recognize it to be illegal information.
•
National Consumer Affairs Center of Japan (http://www.kokusen.go.jp/): a site
disseminating general information in relation to consumer protection, including
with respect to common Internet fraud attempts. This site provides practical
examples of incidents and recommendations to improve consumer awareness.
•
Council of Anti-Phishing Japan (http://www.antiphishing.jp/) is active for the
purpose of restraint of the phishing damage in Japan. These sites collect and
provide case examples and technical information about phishing.
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents in Japan is
sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents
which are not covered under present legislation. The law revision to punish information theft
is made every individual law, and the argument on the law to regulate comprehensively the
identity theft is not really argued. In Japan there is not the portal site to report Internet
crime such as Belgian eCops, but various organizations including the National Police
Agency continue working on enlightenment.
None the less, there are also a few weaknesses. Firstly, when the victim encountered or
almost encountered damage of cybercrime, the police offices accept with a consultation
and a report, but they do not come to public attention. Victims of ID theft are required to
go through official channels (ie, registering a complaint with local police offices). ID theft
371
RAND Europe
National Profiles
does not appear to take a high priority in investigations, except in cases of clear and
significant harm to the victim.
Secondly, the investigation of incidents remains complicated in practice, especially in cross
border cases. Even when clear evidence of an ID theft incident can be found (eg, a fake
profile on a social networking website through which false information is being spread), it
can often prove difficult to convince the website operators to take the offending
information off-line, and even harder to obtain information from the operator that would
make it possible for local judicial authorities to investigate the crime further (eg, IP
addresses or mail addresses used by the offender). In practice, this appears to be the main
challenge to combating ID theft incidents.
In Japan, many people do not seem to understand yet a value placed on the information,
and a menace of fraudulent use of information. However because the unauthorized
acquisition of the user account is increasingly, Japan Online Game Association accept a
request of the introduction on the certification system by the National Police Agency and
announced that they introduced common certification system in a member company on
March 31, 2010. In this way, the identity theft command interest gradually.
372
RAND Europe
National Profiles
Latvia
Applicable laws
Laws focusing explicitly on ID theft
In Latvia no laws which focus explicitly on ID theft have been introduced. The
phenomenon of ID theft, which may take multiple forms, is combated with the help of the
general laws, related to personal data protection, provision of communications services, as
well as with the help of various administratively and criminally punishable offences.
To our knowledge, no legislation, focusing explicitly on ID theft, is currently being
considered. However, in the beginning of March of this year the Cabinet of Ministers has
tasked the Ministry of Transportation to develop a new law on cyber security. At the
present moment more details on the possible scope of the draft law are unavailable,
therefore it is difficult to assess its possible implication on the issue of ID thefts.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Law of 23 March 2000 ‘Personal Data Protection Law’ (Fizisko
personu datu aizsardzības likums).
Reference
See http://www.likumi.lv/doc.php?id=4042
Main provisions in ID theft incidents will constitute unlawful processing, as it will
relation to ID theft
violate legitimacy requirements (Section 7, 11, 12, 13(1), 28),
proportionality obligations and purpose restriction (Section 10),
transparency obligations (Section 8, 9), obligation to register
processing of data at Data State Inspectorate (Section 21, 21(1)),
security obligations (Section 25, 26).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
the violations of the abovementioned obligations can also be
subject to administrative liability according to the Latvian
Administrative Violations Code:
a. Section 204(7), paragraph 1, of the abovementioned
law sanctions illegal operations with a natural
person’s data, that is, in respect of any illegal
operations with a natural person’s data, including
collection of data, registration of data, entering,
storing, ordering, transforming, utilisation, transfer,
transmitting, blocking or deleting of the data. The
373
RAND Europe
National Profiles
applicable sentence is a warning, or a fine on natural
persons in an amount from LVL 50 (EUR 71.14) up
to LVL 400 (EUR 569.14), on officials from LVL
100 (EUR 142.28) up to LVL 400 (EUR 569.14),
but for legal persons from LVL 1000 (EUR
1422.87) up to LVL 8000 (EUR 11 382.97), with
or without confiscation of the articles and tools used
to commit the violation;
b. Section 204(7), paragraph 2, of the abovementioned
law sanctions illegal operations with a natural
person’s sensitive personal data. The applicable
sentence is a warning, or a fine on natural persons in
an amount from LVL 200 EUR 284.57) up to LVL
500 (EUR 711.43), on officials from LVL 300
(EUR 426.86) up to LVL 500 (EUR 711.43), but
for legal persons from LVL 3000 (EUR 4 268.61)
up to LVL 10 000 (EUR 14 228.71), with or
without confiscation of the articles and tools used to
commit the violation;
c. Section 204(8) of the abovementioned law sanctions
failure to provide information to a data subject;
d. Section 204(9) of the abovementioned law sanctions
processing of natural person’s data without
registration;
e. Section 204(10) of the abovementioned law
sanctions the failure to provide information to the
Data State Inspectorate;
f.
•
Section 204(11) of the abovementioned law
sanctions the failure to accredit persons at the Data
State Inspectorate.
The violations of the above mentioned obligations can also
be subject to criminal liability according to the Criminal
Law:
a. Section 145, paragraph 1, of the abovementioned
law sanctions illegal operations with a natural
person’s data, if a significant harm is caused thereby.
The applicable sentence is deprivation of liberty for
a term not exceeding two years or custodial arrest, or
community service, or a fine not exceeding one
hundred times the minimum monthly wage164.
164
In 2010 in Latvia the minimum monthly wage is set LVL 180.
374
RAND Europe
National Profiles
b. Section 145, paragraph 2, of the abovementioned
law sanctions illegal operations with a natural
person’s data, if committed thereof by the data
controller or data processor for the purposes of
revenge, acquiring property or blackmailing. The
applicable sentence is deprivation of liberty for a
term not exceeding four years or custodial arrest, or
community service, or a fine not exceeding one
hundred twenty times the minimum monthly wage.
c. Section 145, paragraph 3, of the abovementioned
law sanctions influencing the system administrator
or personal data processor, or the data subject with
the help of violence or threats, or maliciously using
the confidence, or with the help of deceit, for the
purposes of carrying out illegal operations with a
natural person’s data. The applicable sentence is
deprivation of liberty for a term not exceeding five
years or custodial arrest, or community service, or a
fine not exceeding two hundred times the minimum
monthly wage.
d. Section 193(1) of the Criminal Law sanctions the
acts of obtaining, manufacturing, distributing, using
and storing data, software and equipment for
unlawful acts with financial instruments and means
of payment. The applicable sentence is deprivation
of liberty for a term not exceeding ten years, with or
without confiscation of the property (depending on
the violation).
Communications secrecy laws
Relevant law
Law of 28 October 2004 ‘Electronic communications law’
(Elektronisko sakaru likums).
Reference
See http://www.likumi.lv/doc.php?id=96611
Main provisions in Section 19 of this law makes the provider of the electronic
relation to ID theft
communications services to be responsible for maintenance of
security of the data, including personal data, of the users of
electronic communications. Section 68 of this law prohibits the
provider of the electronic communications services to disclose
data about the users and subscribers of electronic
communications services, as well as services received, as well as
prohibits disclosure of information, which has been circulated via
electronic communications.
375
RAND Europe
Prescribed sanction
National Profiles
Apart from damages that the victim may receive in civil
proceedings:
a. Section 144 of the Criminal Law sanctions violating
the confidentiality of correspondence, information
in the form of transmissions over a
telecommunications network and other information.
The applicable sentence is deprivation of liberty for
a term not exceeding five years, or community
service, or a fine not exceeding one hundred times
the minimum monthly wage, with or without
deprivation of the right to engage in specific
activities for a period not exceeding five years
(depending on the violation).
b. Section 200 of the Criminal Law sanctions
disclosure of non-disclosable information, which is
not an official secret. The applicable sentence is
custodial arrest or community service or a fine not
exceeding fifty times the minimum monthly wage
(depending on the violation).
Fraud
Relevant law
Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums).
Reference
http://www.likumi.lv/doc.php?id=88966#saist_11
Main provisions in Fraud in general is punishable according to the Section 177 of
relation to ID theft
the Criminal Law. This Section sanctions acquiring property of
another, or of rights to such property, by the use, in bad faith, of
trust, or by deceit (fraud).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Section 177 can be criminally
sanctioned with deprivation of liberty for a term not exceeding
thirteen years, or with confiscation of property, or custodial
arrest, or community service, or a fine not exceeding one
hundred fifty times the minimum monthly wage (depending on
the violation).
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums).
Reference
http://www.likumi.lv/doc.php?id=88966#saist_11
Main provisions in Forgery in general is punishable according to the Section 275 of
the Criminal Law. This Section sanctions forgery of a document
376
RAND Europe
National Profiles
relation to ID theft
conferring rights or a release from obligations, or of a seal or a
stamp, or using or selling a forged document, seal or stamp.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Section 275 can be criminally
sanctioned with deprivation of liberty for a term not exceeding
four years, or community service, or a fine not exceeding sixty
times the minimum monthly wage (depending on the violation).
Cybercrime - illegal access to information systems (hacking)
Relevant law
Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums).
Reference
http://www.likumi.lv/doc.php?id=88966#saist_11
Main provisions in Arbitrarily accessing automated data processing system in general
relation to ID theft
is pubishable according to the Section 241 of the Criminal Law.
This Section sanctions arbitrarily (without the relevant
permission or utilising the rights granted to another person)
accessing an automated data processing system or a part thereof,
if breaching of data processing protective systems is associated
therewith or if significant harm is caused thereby, or if
commission thereof is for purposes of acquiring property or if
serious consequences are caused thereby.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Section 241 can be criminally
sanctioned with deprivation of liberty for a term not exceeding
eight years, or custodial arrest, or a fine not exceeding one
hundred and eighty times the minimum monthly wage with or
without confiscation of property (depending on the violation).
Cybercrime – illegal data interference
Relevant law
Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums).
Reference
http://www.likumi.lv/doc.php?id=88966#saist_11
Main provisions in Interference in the operation of automated data processing
relation to ID theft
systems and unlawful action with the information included in
such systems in general is punishable according to the Section
243 of the Criminal Law. This Section sanctions modifying,
damaging, destroying, impairing or hiding of information stored
in an automated data processing system without authorisation, or
knowingly entering false information into an automated data
processing system, as well as interference in the operation of an
automated data processing system by entering, transferring,
damaging, extinguishing, impairing, changing or hiding
377
RAND Europe
National Profiles
information, if the protective systems are damaged or destroyed
thereby or significant harm is caused thereby, or losses are caused
on large scale, or for purposes of acquiring property, or if serious
consequences are caused thereby.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Section 243 can be criminally
sanctioned with deprivation of liberty for a term not exceeding
eight years, or community service, or a fine not exceeding two
hundred times the minimum monthly wage with or without
confiscation of property (depending on the violation).
Cybercrime – computercomputer-related forgery
Relevant law
Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums).
Reference
http://www.likumi.lv/doc.php?id=88966#saist_11
Main provisions in Computer-related forgery is covered by Section 244, which
relation to ID theft
sanctions unlawful manufacture, adaptation for utilisation, sale,
distribution or storage of such devices (also software), which are
intended to influence automated data processing system
resources.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Section 244 can be criminally
sanctioned with deprivation of liberty for a term not exceeding
ten years, or community service, or a fine not exceeding two
hundred times the minimum monthly wage with or without
confiscation of property (depending on the violation).
Cybercrime – computercomputer-related fraud
Relevant law
Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums).
Reference
http://www.likumi.lv/doc.php?id=88966#saist_11
Main provisions in Fraud in automated data processing systems in general is
relation to ID theft
punishable according to the Section 177(1) of the Criminal Law.
This Section sanctions the act of entering false data into an
automated data processing system for the acquisition of the
property of another person or the rights to such property, or the
acquisition of other material benefits, in order to influence the
operation of the resources thereof (computer fraud).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Section 177(1) can be criminally
sanctioned with deprivation of liberty for a term of up to fifteen
years, or with confiscation of property, or custodial arrest, or
378
RAND Europe
National Profiles
community service, or a fine not exceeding two hundred times
the minimum monthly wage (depending on the violation).
Application in practice
Claiming
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violations of Personal Data Protection Law, since personal data
of the victim would likely be unlawfully processed to make the
false identity believable (eg, publication of the victim's name,
address, photo, etc.);
- violation of communication secrecy, if the false profile results in
messages being sent to the false profile which were intended for
the real recipient;
- forgery, if the incident/act changed the legal impact of the
information;
- computer-related fraud, if the false identity was used to
unlawfully appropriate property.
Liability for these violations is established according to the
Sections of Latvian Administrative Violations Code or the
Criminal Law, described above.
Case law available?
None publicly available.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the Personal Data Protection Law, since the
credentials are likely to be considered personal data which are
being unlawfully processed;
- violation of communication secrecy, if use of the credentials can
be qualified as unlawful access to data related to electronic
communication (eg, to make bank transfers);
- computer-related fraud, if falsified messages were sent to
unlawfully appropriate property;
- illegal access to automated data processing systems, if the
credentials were used to access a system without authorisation.
379
RAND Europe
National Profiles
Liability for these violations is established according to the
Sections of Latvian Administrative Violations Code or the
Criminal Law, described above.
Case law available?
None publicly available.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of the Personal Data Protection Law, since the
credentials are likely to be considered personal data which are
being unlawfully processed;
- violation of the prohibition to obtain data for unlawful acts
with financial instruments and means of payment, if the purpose
of obtaining the data was the commission of unlawful acts with
financial instruments and means of payment;
- violation of communication secrecy, if the collection of the
credentials can be qualified as unlawful access to data related to
electronic communication;
- fraud, if falsified messages were sent to unlawfully appropriate
property;
- illegal data interference, if the act of phishing involved the fact
of entering, changing or deleting information in an information
system without authorisation (eg, in order to falsify a website).
Liability for these violations is established according to the
Sections of Latvian Administrative Violations Code or the
Criminal Law, described above.
Case law available?
None publicly available.
Using falsified identity documents (identity cards, social security cards or passports)
passports)
to unlawfully apply for social benefits
Applicable law(s)
Such an incident would likely involve violation of Section 275 of
the Criminal Law (Forgery, see Section 1.2.2. above).
Case law available?
None publicly available.
Trafficking in unlawfully
unlawfully obtained personal information (eg,
(eg, selling databases of
380
RAND Europe
National Profiles
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely involve:
- violation of the Personal Data Protection Law, since the
personal information would be unlawfully processed;
- violation of prohibition to disclose non-disclosable information.
Liability for these violations is established according to the
Sections of Latvian Administrative Violations Code or the
Criminal Law, described above.
Case law available?
None publicly available.
ID theft reporting mechanisms
DDIRV.LV
Computer incidents can be reported either by telephone or online at [email protected] to the
Computer Security Incident Response Team (DDIRV), which initially was established as a
department of the State information network agency. DDIRV’s basic service (for example,
recommendations in case of computer security incidents) is available for both registered
and unregistered clients, but only IT administrators of State and municipal institutions can
voluntarily register for additional benefits like pre-emptive information about threats that
might affect their systems. Unregistered clients can receive consultations or
recommendations in case of computer security incident. It means that DDIRV
consultations and recommendations are available for every person who has submitted
incident response and this institution is responsible for security incident handling and
prevention in his/her network.
Data State Inspectorate
Suspected illegal operations with personal data should be reported to Data State
Inspectorate, by submitting the application either personally or via post, or by sending
information electronically (if signed by a secure electronic signature) to the email address:
[email protected].
State Police
Any suspected crime should be reported to the State Police. The form in which the
information should be submitted, is not defined, except the fact that an anonymous
information can not serve as basis to initiate criminal proceedings. Information to the State
381
RAND Europe
National Profiles
Police can be submitted not only by the victim, but also by the controlling authorities (for
example - Data State Inspectorate) or by persons who know about the possible commission
of a crime, but who themselves are not victims.
Consumer Rights Protection Centre
In case the offence is related with quality of the provided services (for example - related to
communications), a person can submit an application to the Consumer Rights Protection
Centre. The application can be submitted either in traditional written form (personally or
via post), electronically, if signed with an electronic signature ([email protected]), or orally.
Personal assessment of the framework for combating ID theft
It seems that the legal framework for combating ID theft incidents in Latvia is sufficiently
comprehensive, as there do not appear to be any examples of ID theft incidents which are
not covered under present law. The tradition of defining administratively and criminally
punishable offences in codified laws – the Latvian Administrative Violations Code and the
Criminal Law, respectively, is long-standing, and therefore an absence of a specific law,
focusing explicitly in ID theft, does not seem to create any difficulty, since the existing
sources may easily apply to ID theft incidents.
On the other hand, earlier this year a large amount of personal data was stolen from the
information systems of the State Revenue Service. The data about the incomes of persons,
mainly of the employees of the Governmental institutions, is publicly revealed from time
to time, and it seems that at the present moment the State Police cannot find persons
responsible for the theft of this data. This shows that the difficulties are associated with the
practical implementation of the laws rather than with the laws themselves. Moreover, data
about the actual number of administrative and criminal offences related to ID theft, as well
as a complete database of the court practice, is not publicly available.
In addition, lately in Latvia the discussion about the necessity to improve the security of
the Governmental communications networks has intensified. In the beginning of March of
this year the Cabinet of Ministers has tasked the Ministry of Transportation to develop a
new law on cyber security. At the present moment more details about the possible scope of
the draft law are unavailable, therefore it is difficult to assess its possible implication on the
issue of ID thefts.
382
RAND Europe
National Profiles
Lithuania
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Lithuania that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud etc.).
No such legislation is currently under consideration according to the information available.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Law of 11 June 1996 on legal protection of personal data
(Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=31563
3
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as they
will violate legitimacy requirements (Article 5), proportionality
obligations and the purpose restriction (Article 3), security
obligations (Article 30) and formal obligations such as the prior
notification to the Lithuanian State Data Protection Inspectorate
(Article 31).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, according to the Lithuanian Administrative Code –
Art. 214(14) – the violations above can also be sanctioned with a
fine of 145 up to 290 EUR.
Communications secrecy laws – existence and technical aspects of electronic
communication
Relevant law
Law of 15 April 2004 on Electronic Communications (Lietuvos
Respublikos elektroninių ryšių įstatymas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=242679
383
RAND Europe
National Profiles
Main provisions in Article 61 of this Act forbids for the provider of the electronic
relation to ID theft
communications services, without consent of the actual user of
electronic communication services, to (1) listen, record, store or
otherwise intercept information and related traffic data or gain
secret access to such information and related traffic data; (2) to
disclose the content of information transmitted over electronic
communications networks and/or related traffic data or to create
conditions for gaining access to such information and/or related
traffic data.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Article 61 can be sanctioned by the
Lithuanian Communications Regulatory Authority (CRA) with
an administrative fine of up to 3 percent of the annual gross
income from activities associated with electronic communications,
and if it is difficult or impossible to calculate the volume of such
activity with a fine of up to LTL 300,000 (about EUR 87,000).
For repeated or serious infringement, the CRA has a right to
impose a fine of up to 5 percent of the annual gross income from
activities associated with electronic communications. However, if
it is difficult or impossible to calculate the volume of such activity,
a fixed fine is set up to LTL 500,000 (about EUR 145,000).
If annual gross income of an undertaking is less than LTL
300,000 (about EUR 86,886), a fine of up to LTL 10,000 (about
EUR 2,896) may be imposed by CRA, while in case of a repeated
or serious infringement, a fine may be set up to LTL 20,000
(about EUR 5,792).
Communications secrecy laws – contents of electronic communication
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Articles 166 forbid the following acts:
relation to ID theft
• Unlawfully intercepting, recording or observing a person’s
messages transmitted by electronic communications
networks;
•
Unlawfully recording, wiretapping or observing a person’s
conversations transmitted by electronic communications
networks.
Additional provisions of Article 168 punish the use of lawfully
made recordings which were primarily designed or modified to
commit the aforementioned crimes.
384
RAND Europe
Prescribed sanction
National Profiles
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of Article 166 can be criminally sanctioned
with a fine, community service, restriction of liberty,
arrest or imprisonment up to 2 years;
•
Violations of Article 168 can be criminally sanctioned
with a fine, community service restriction of liberty, arrest
or imprisonment up to 3 years.
Fraud
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Fraud in general is punished by Article 182 of the Criminal Code.
relation to ID theft
This article sets forth that a person who, by deceit, acquires
another’s property for his/her own benefit or for the benefit of
other person(s) or acquires a property right, avoids a property
obligation or annuls it shall be punished. This would apply to any
ID theft incidents involving the use of a falsified identity to
acquire property.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, violations of Article 182 can be criminally sanctioned
with community service, fine, restriction of liberty, arrest or
imprisonment up to 3 years.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Forgery is punished by Article 300 of the Criminal Code,
relation to ID theft
including:
Prescribed sanction
•
§1: producing a false document, forgery of a genuine
document, transport, storage, use, handling of a
document known to be false or a genuine document
known to be forged;
•
§2: falsifying a passport, identity card, driving licence or
state social insurance certificate.
Apart from damages that the victim may receive in a civil
385
RAND Europe
National Profiles
proceedings:
•
Violations of Article 300 §1 can be criminally sanctioned
with a fine, arrest or imprisonment up to 3 years;
•
Violations of Article 300 §2 can be criminally sanctioned
with arrest or imprisonment up to 4 years.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Illegal access to information systems is punished by Article 198(1)
relation to ID theft
of the Criminal Code, including particularly:
•
§1: unlawfully connecting to an information system by
cracking the protection means of the information system;
•
§2: unlawfully connecting to an information system of
strategic importance for national security or of major
importance for State government, the economy or the
financial system.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, or to steal credentials from such a system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of §1 can be criminally sanctioned with
community service, a fine, arrest or imprisonment up to 1
year;
•
Violations of §2 can be criminally sanctioned with a fine,
arrest or imprisonment up to 3 years.
Cybercrime – illegal data interference
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Illegal data interference is punished by Article 196 of the Criminal
relation to ID theft
Code, including particularly:
•
§1: destroying, damaging, removing or modifying
electronic data or a technical equipment, software or
386
RAND Europe
National Profiles
otherwise restricting the use of such data thereby causing
high damage;
•
§2: causing damage to the electronic data of an
information system of strategic importance for national
security or of high importance for State government, the
economy or the financial systems as a result of
committing the crime in §1.
Art. 198(2) forbids the act of unlawfully producing, transporting,
selling or otherwise distributing the installations or software,
including passwords, login codes or other similar data directly
intended for the commission of criminal acts or the act of
acquiring or storing them for the same purpose.
This would apply to any ID theft incidents involving the falsifying
of identity information stored in an information system.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of §1 can be criminally sanctioned with
community service, fine or imprisonment up to 4 years;
•
Violations of §2 can be criminally sanctioned with a fine,
arrest or imprisonment up to 6 years;
•
Violations of Art. 198(2) can be criminally sanctioned
with community service, a fine, arrest or imprisonment
up to 3 years.
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Computer-related forgery is punished by Article 196 of the
relation to ID theft
Criminal Code, including particularly:
•
§1: destroying, damaging, removing or modifying
electronic data or a technical equipment, software or
otherwise restricting the use of such data thereby causing
major damage;
•
§2: causing damage to the electronic data of an
information system of strategic importance for national
security or of high importance for State government, the
economy or the financial systems as a result of
committing the crime in §1.
387
RAND Europe
National Profiles
Article 198 of the Criminal Code punishes the act of unlawful
observing,
recording,
intercepting,
acquiring,
storing,
appropriating, distributing or otherwise using the electronic data
which shall not be made public.
This would apply to, for example, any ID theft incidents
involving the use of false identity information in an information
system to change its legal impact.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of §1 can be criminally sanctioned with
community service, fine or imprisonment up to 4 years;
•
Violations of §2 can be criminally sanctioned with a fine,
arrest or imprisonment up to 6 years;
•
Violations of §1 of Article 198 can be criminally
sanctioned with a fine or imprisonment up to 4 years.
Cybercrime – computercomputer-related
relat ed fraud
Relevant law
Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas).
Reference
See
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707
Main provisions in Computer-related fraud is punished by Article 198 of the
relation to ID theft
Criminal Code, including particularly:
•
§1: unlawfully observing, recording, intercepting,
acquiring, storing, appropriating, distributing or
otherwise using the electronic data which shall not be
made public;
•
§2: committing the crime described in §1 to the
electronic data which shall not be made public and which
are of strategic importance for national security or of high
importance for State government, the economy or the
financial system.
This would apply to, for example, any ID theft incidents
involving the modification of information systems in order to
obtain usernames/passwords (eg, phishing).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of §1 can be criminally sanctioned with a fine
or imprisonment up to 4 years;
388
RAND Europe
National Profiles
•
Violations of §2 can be criminally sanctioned with
imprisonment up to 6 years.
Application in practice
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- forgery and/or computer-related forgery, if the forgery changed
the legal impact of the information;
- fraud and/or computer-related fraud, if the false identity was
used to unlawfully appropriate property.
Case law available?
No known case law.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation.
Case law available?
No known case law.
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- fraud and/or computer-related fraud, if falsified messages were
sent to unlawfully appropriate property;
- illegal data interference, if the act of phishing involved entering,
changing or deleting information in an information system
389
RAND Europe
National Profiles
without authorisation (eg, in order to falsify a website).
Case law available?
No known case law.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
benefits
Applicable law(s)
Such an incident would likely involve forgery with respect to
identity, which is punished by Article 300 of the Criminal Code.
Case law available?
Several cases are known, specifically in relation to using the
falsified passports. For example the Supreme Court of Lithuania
ruled on a case where a person falsified a passport. The defendant
was convicted for violation of paragraph 2 of Article 300 of the
Criminal Code, which prohibits falsifying a passport, identity
card, driving licence or state social insurance certificate, and was
sanctioned with imprisonment.
The copy of the decision in Lithuanian can be found here:
http://www.lat.lt/default.aspx?item=tn_liteko&lang=1
eg,
Trafficking in unlawfully obtained personal information ((eg
eg , selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be a violation of the communication secrecy laws, since the
lawfully gained personal information without the consent of the
concerned person would be made public or used for the own
benefit or for the benefit of another person.
Case law available?
No known case law.
ID theft reporting mechanisms
CERT-LT reporting site
To facilitate the reporting of IT security incidents (including, but not limited to, system
intrusion, phishing, spam, spyware etc.), a general reporting website (www.cert.lt) was
established by CERT-LT in Lithuania.
CERT-LT is the Lithuanian National Computer Emergency Response Team whose task is
to promote security in the information society by preventing, observing, and solving
information security incidents and disseminating information on threats to information
security. CERT-LT activities are managed by the Lithuanian Communications Regulatory
Authority. CERT-LT publishes annually and quarterly statistical reports on the status and
developments on online-related crimes and security treats in Lithuania. CERT-LT website
390
RAND Europe
National Profiles
provides users with general information regarding online incidents and the ways to combat
them.
The website of CERT-LT acts as a single contact point, through which IT security
incidents can be reported by filling the online form either in Lithuanian or English
language. By submitting the report it is required to provide the email address and the
description of the IT incident.
It should be noted that the CERT-LT website is primarily aimed to allow citizens to
report information security incident or threats that they have observed but of which they
were not the victims. Victims of such incidents, if any damages were suffered, are
recommended to contact directly the local police office or the Lithuanian Cyberpolice
(http://www.cyberpolice.lt).
State Data Protection Inspectorate
Violations of Lithuanian personal data processing laws could be reported to the Lithuanian
State Data Protection Inspectorate. The notification of violations of data subject’s rights
may be submitted by the data subject either personally or via post, or by sending such
information electronically.
Police
Any suspected crime should be reported to the local police office or to the Cyberpolice.
Information about ID theft crime can be submitted to the police not only by the victim,
but also by the controlling authorities (eg, State Data Protection Inspectorate or
Communications Regulatory Authority) or by persons who know about the possible
commission of a crime, but who themselves are not victims.
Other sites
Apart from CERT-LT website, other websites in Lithuania play mainly informative role
with respect to ID theft, including notably the e-safety website (http://www.esaugumas.lt/),
managed by the Lithuanian Communications Regulatory Authority. This website aims to
improve awareness of Internet security issues through general tips and recommendations to
Internet users.
Personal assessment of the framework for combating ID theft
It could be considered that the legal framework for combating ID theft incidents in
Lithuania is sufficiently comprehensive to cover ID theft incidents described in this report.
Furthermore, the establishment of a single contact point for reporting IT security incidents
(the aforementioned CERT-LT website) should be considered as a positive development in
combating IT security threats.
391
RAND Europe
National Profiles
Nonetheless, there are also some weaknesses. Firstly, the CERT-LT website is promoted as
a website for reporting IT security incidents by non-victims. CERT-LT does not
investigate the Internet crimes associated with ID theft, it just helps to indicate and solve
the problems in the Internet. Victims of ID theft are still required to go through official
channels (ie, registering a complaint with local police office or Cyberpolice). This process
is still not transparent enough to victims. The follow-up of such complaints can be rather
slow and depends on the availability of resources for the investigation. It should be also
noted that there is not enough public available information about Internet-based crimes,
especially in case of ID theft.
Furthermore, the investigation of ID theft incidents in Lithuania remains rather
complicated in practice. Even when evidences of an ID theft incident can be found (eg, a
fake profile on a social networking website), it could be rather difficult to obtain
information from the providers of electronic communication services that would help local
judicial authorities to investigate the crime further (eg, IP addresses or mail addresses used
by the offender).
392
RAND Europe
National Profiles
Luxembourg
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in Luxembourg that focuses explicitly on ID theft as a
specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud, etc.).
No such legislation is currently under consideration to our knowledge.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Reference
Law of 2 August 2002 on the protection of individuals with
regard to the processing of personal data, as amended (‘Loi du 2
août 2002 relative à la protection des personnes à l’égard du
traitement des données à caractère personne, telle que modifiée’).
http://www.cbpweb.nl/downloads_wetten/WBP.PDF?refer=true
&theme=purple.
Main provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as they
will violate legitimacy requirements, proportionality obligations
and the purpose restriction, transparency obligations, security
obligations and formal obligations such as the prior notification
to the Luxembourg Data Protection Authority (the ‘Commission
Nationale pour la Protection des Données’).
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, the violations above can also be criminally
sanctioned with fines of EUR 251.00 to EUR 125,000.00.
Communications secrecy laws – contents of communication
Relevant law
Criminal Code (‘Code Pénal’).
Reference
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T02.pdf
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T08.pdf
Main provisions in Article 149 of the Luxembourg Criminal Code punishes any
393
RAND Europe
relation to ID theft
National Profiles
public servant or employee of the nation postal services who has
opened or deleted letters entrusted to the nation postal services.
Article 460 of the Luxembourg Criminal Code punishes anyone
who has opened or deleted letters entrusted to the nation postal
services.
Prescribed sanction
In addition to damages that may be awarded to the victim in civil
proceedings:
- anyone liable to an infringement of article 149 of the
Luxembourg Criminal Code incurs in an imprisonment between
15 days and 2 months and/or a fine between EUR 251.00 and
EUR 5,000.00;
- anyone liable to an infringement of article 460 of the
Luxembourg Criminal Code incurs in an imprisonment between
8 days and 2 months and/or a fine between EUR 251.00 and
EUR 2,000.00.
Communications secrecy laws – contents of communication
Relevant law
Law of 11 August 1982 on privacy (‘Loi du 11 août 1982
concernant la protection de la vie privée’).
Reference
http://www.legilux.public.lu/leg/textescoordonnes/compilation/r
ecueil_lois_speciales/VIE.pdf
Main provisions in Article 2 of the law of 11 August 1982 on privacy forbids anyone
relation to ID theft
to intentionally infringe the privacy of a third party:
•
by opening, acknowledging by any means whatsoever the
content of, or deleting a message sent or forwarded in a
sealed envelope, without the consent of its recipient;
•
by listening to or making listen to, recording or making
record, broadcasting or making broadcast by any device
whatsoever speeches said in private, without the consent
of the speaker.
Article 3 of the same law also forbids deploying any device with a
view of committing the above-mentioned crime or to render it
possible.
This would apply to any ID theft incident involving the
recording or acknowledging of communications.
Prescribed sanction
In addition to damages that may be awarded to the victim in civil
proceedings, anyone liable to an infringement of the abovementioned provisions incurs in imprisonment between eight days
and one year and a fine of EUR 251.00 up to 5,000.00.
394
RAND Europe
National Profiles
Communications secrecy laws – contents and traffic data relating to electronic
communication
Relevant law
Law of 30 May 2005 on specific provisions for the protection of
persons with regard to the processing of personal data in the
electronic communications sector and amending articles 88-2
and 88-4 of the Code of Criminal Procedure (‘Loi du 30 mai
2005 relative aux dispositions spécifiques de protection de la personne
à l’égard du traitement des données à caractère personnel dans le
secteur des communications électroniques et portant modification des
articles 88-2 et 88-4 du Code d’instruction criminelle’).
Reference
See pages 26 to 31:
http://www.legilux.public.lu/leg/a/archives/2005/0073/a073.pdf
#page=26%23page=26
Main provisions in Article 4 para. 2 of this Law forbids, as a rule, any third party,
relation to ID theft
other than the user of the electronic service, to listen to, tap or
store communications or the traffic data relating thereto, or to be
engaged in any other kinds of interception or surveillance
thereof, without the consent of the user.
The provision generally applies to unlawful acts in which a third
party tries to obtain information on the existence of someone
else’s electronic communications or of the technical
characteristics of such communications (eg, protocols used, IP
addresses, duration, usernames/passwords), and in which this
information is abused. This would apply to any ID theft incident
requiring the collection/abuse of such data.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, any person who contravenes the provisions of the
above-mentioned article shall be sentenced to imprisonment
between eight days and one year and/or a fine of between 251
and 125 000 Euros. The court may also order the cessation of
any processing which contravenes the provisions of this article,
subject to financial legal constraint.
Fraud
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See page 18:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T03.pdf
Main provisions in Article 231 of the Luxembourg Criminal Code punishes anyone
relation
who has publicly taken the name of a third party.
relat ion to ID theft
395
RAND Europe
National Profiles
According to Luxembourg case law, this article only sanctions the
public use of a third party's name. This article should not apply
to the theft of a login or password that remains private.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings, any person who contravenes the provisions of the
above-mentioned article shall be sentenced to imprisonment
between eight days and three months and/or a fine of between
EUR 251,00 and EUR 3,000.00.
Fraud
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See page 11:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T09.pdf
Main provisions in
relation to ID theft
1. Article 496 of the Luxembourg Criminal Code forbids any
act of swindling consisting in using a false name or quality in
order to obtain assets or values.
2. Article 496-1 of the Luxembourg Criminal Code punishes
anyone who has made a false or incomplete statement in
order to keep or obtain social benefits.
Prescribed sanction
Respectively:
1. In the situation ex Article 496 supra, apart from damages
that the victim may receive in civil proceedings, any
person who contravenes the provisions of the abovementioned article shall be sentenced to imprisonment
between 1 month days and 5 years and a fine of between
EUR 251,00 and EUR 30,000.00;
2. In the situation ex Article 496-1 supra, apart from
damages that the victim may receive in civil proceedings,
any person who contravenes the provisions of the abovementioned article shall be liable to imprisonment
between 1 month and 5 years and a fine of between
EUR 251,00 and EUR 30,000.00.
Forgery with respect to identity (ie,
(ie, falsifying identities
identities on a document)
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See p.8 to 14:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
396
RAND Europe
National Profiles
nal/cp_L2T03.pdf
Main provisions in Forgery with respect to identities on a document is punished by
relation to ID theft
the following articles of the Luxembourg Criminal Code:
- Article 194: forgeries committed by public servants in the
course of their employment on official documents, including
through the use of falsified signatures or by falsifying information
in official registers or documents;
- Articles 195 and 196: forgeries committed by any other person
on public or private documents, including electronic documents
by using falsified, added or altered signatures or written
statements, as well as the use of falsified documents;
- Article 198: falsifying passports or other identity documents or
intentionally using such documents.
Prescribed sanction
Apart from damages that the victim may receive in civil
proceedings:
•
Violations of article 194 (public servants) can be
criminally sanctioned with imprisonment between 10
and 15 years;
•
Violations of article 196 (general public) can be
criminally sanctioned with imprisonment between 5 and
10 years;
•
Violations of article 198 (general public) can be
criminally sanctioned with imprisonment between 1
month and 2 years and/or a fine between EUR 251.00
and 12,500.00.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See page 16:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_p
enal/cp_L2T09.pdf
Main provisions in Article 509-1 of the Luxembourg Criminal Code punishes
relation to ID theft
anyone who has fraudulently accessed to or remained within all
or part of an automated data processing system.
This would apply to ID theft incidents involving the use of false
credentials to gain authorised access to an information system or
to steal credentials from such a system.
Prescribed sanction
In addition to damages that may be awarded to the victim in the
course of civil proceedings, anyone who breaches article 509-1 of
397
RAND Europe
National Profiles
the Luxembourg Criminal Code incurs in imprisonment ranging
from 2 months up to 2 years and/or a fine from EUR 500,00 to
EUR 25,000.00 of EUR 30,000.00.
Where this behaviour causes the suppression or modification of
data contained in that system or any alteration of the functioning
of that system, the sentence incurred is the imprisonment
between 4 months and 2 years and/or a fine from EUR
1,250.00- to EUR 25,000.00.
C ybercrime – illegal data interference
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See page 17:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T09.pdf
Main provisions in
Article 509-3 of the Luxembourg Criminal Code punishes:
relation to ID theft
anyone who has, intentionally and regardless of the rights of
third parties, directly or indirectly, introduced, cancelled or
modified data in an automated data processing system.
This would apply to ID theft incidents involving the falsifying of
identity information stored in an information system.
Prescribed sanction
In addition to damages that may be awarded to the victim in the
course of civil proceedings, anyone who breaches article 509- of
the Luxembourg Criminal Code incurs in imprisonment between
3 months and 3 years and/or a fine between EUR 1,250.00 and
EUR 12,500.00.
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See p. 9:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T03.pdf
See p. 7:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T09.pdf
Main provisions in The above-mentioned article 196 of the Luxembourg Criminal
relation to ID theft
Code, as amended by the law of 14 August 2000 on e-commerce,
punishes computer-related forgery and in particular the
398
RAND Europe
National Profiles
falsification of electronic documents.
This would apply to ID theft incidents involving the falsification
and the use of such falsified documents.
In addition, article 488 of the Luxembourg Criminal Code, as
amended by the law of 14 August 2000 on e-commerce, punishes
anyone who has counterfeited or altered keys, including
electronic keys.
However, the law does not define ‘electronic keys’ and the issue
whether such ‘electronic keys’ cover logins and passwords has not
yet been sorted out by Luxembourg courts.
Prescribed sanction
Article 196 of the Luxembourg Criminal Code sets forth
imprisonment between 5 and 10 years.
Article 488 of the Luxembourg Criminal Code sets forth
imprisonment between 3 months and 2 years and a fine between
EUR 251.00 and 2,000.00.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code (‘Code Pénal’).
Reference
See page 16:
http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe
nal/cp_L2T09.pdf
Main provisions in Article 509-2 of the Luxembourg Criminal Code punishes
relation to ID theft
anyone who has, intentionally and regardless of the rights of
third parties, obstructed or interfered with the functioning of an
automated data processing system.
Prescribed sanction
The criminal punishment in case of a breach of article 509-2 of
the Luxembourg Criminal Code is imprisonment between 3
months and 3 years and/or a fine between EUR 1,250.00 and
EUR 12,500.00.
Application in practice
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- a violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
399
RAND Europe
National Profiles
photo, etc.);
- a violation of communication secrecy laws, if the false profile
results in messages being sent to the false profile which were
intended for the real recipient;
- illegal data interference, if the forgery changed the legal impact
of the information;
- name theft (publicly), since the name of a third party is publicly
and fraudulently used.
Case law available?
N.A.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- a violation of data protection laws, since the credentials are
likely to be considered personal data which are being unlawfully
processed;
- a violation of communication secrecy laws, if the use of the
credentials can be qualified as unlawful access to data related to
electronic communications (eg, to make bank transfers);
- illegal access to information systems (hacking);
- possibly, use of falsified keys;
- swindling if falsified messages were sent to unlawfully
appropriate property.
Case law available?
N.A.
Phishing
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
- a violation of data protection laws, since the email addresses,
credentials, etc. are likely to be considered personal data which
are being unlawfully processed;
- a violation of communication secrecy laws, if the collection of
the relevant credentials can be qualified as unlawful access to data
related to electronic communication;
400
RAND Europe
National Profiles
- illegal access to information systems and/or illegal data
interference, if the act of phishing involved the fact of entering
in, changing or deleting information in an information system
without authorisation (eg, in order to falsify a website).
Case law available?
N.A.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
The act of using falsified identity documents to unlawfully apply
for social benefits would likely be:
- a violation of data protection laws, since the stolen information
enabling to apply for social benefits are likely to be considered
personal data which are being unlawfully processed;
- forgeries related to identity documents, frauds related to
incomplete or false statement in order to obtain social benefits
and possibly a fraudulent public use of a third party's name;
- illegal access to information systems, since installing the
spyware is likely a violation of access rights;
- illegal data interference, since installing the spyware likely
involves installing software on the victim’s information system.
Case law available?
N.A.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of data protection laws, since the personal
information would be unlawfully processed;
- a violation of communication secrecy laws, if the personal
information contained data related to electronic communications
(like email addresses, IP addresses, etc.).
Case law available?
N.A.
There is neither a specific website dedicated to reporting of ID thefts in Luxembourg nor
any other specific off-line reporting mechanism.
The victims of ID theft are required to go through official channels. In this respect, they
have the three following options:
401
RAND Europe
National Profiles
•
They can file a criminal complaint at the offices of the Luxembourg Police Force
(‘Police grand-ducale’). The Luxembourg Police Force has also developed an online
form enabling the victims to file an online complaint165. However, such an online
complaint does not have any legal value and has to be completed by a physical
complaint. The Luxembourg Police Force has developed a ‘New Technologies’
service, which is in charge of investigation and prosecution of computer-related
crime. This service has eight engineers and two law enforcement officers (‘officiers
de police judiciaire’). They are competent to receive end-users complaints. If they
feel that complaints are well-founded, they transfer the case to the Luxembourg
Public Prosecutor;
•
Victims can either file a criminal complaint with the Public Prosecutor (‘Procureur
d’Etat’) or the competent Examining Magistrate (‘juge d’instruction’). The
Luxembourg Public Prosecutor has investigation and prosecution powers on ID
thefts as falling under the scope of the provisions of the Luxembourg Criminal
Code. By virtue of the discretionary powers principle, the Public Prosecutor
decides if further investigation and criminal prosecution have to be launched. The
Public Prosecutor can therefore decide to drop the case if he thinks that no
criminal offence has been committed. When filing a complaint for damages
related to ID theft with the Luxembourg Examining Magistrate, and alleging that
a criminal offence can be charged, the Examining Magistrate is obliged to
investigate. If the collected evidences are sufficient, the Examining Magistrate
launches criminal prosecution before the competent Luxembourg criminal court,
otherwise he drops the case. If the action of the ‘victim’ is dismissed, the ‘victim’
may be ordered to pay a fine;
•
Finally, victims of ID thefts may also introduce a civil action before Luxembourg
criminal or civil courts, provided that they know the identity of the defendant.
In addition, it is worth mentioning the works undertaken by CASES (www.cases.lu),
which is a service of the Luxembourg Ministry of Economy and Foreign Trade. This
service aims at increasing awareness of the risks relating to computer systems and
information networks among administrations, companies and citizens.
Through its website, CASES provides highly-comprehensive information on the
theoretical risks relating to the computer systems and information networks (such as spam,
spyware, virus, worms, Trojan horses, lost of data, phishing, etc.), including information
aiming at children. CASES also provides for information on practical tools against
computing risks (such as antivirus and antispyware software, firewalls, cryptography
solutions, intrusion detection system, etc.), as well as instructions for use of computing
technologies in order to ensure the protection of data.
Additionally CASES forms yearly more then 10.000 pupils on information security and
offers formations to teachers, parents and companies, in close cooperation with the
Ministry of Education.
165
http://www.police.public.lu/functions/contact/index.php
402
RAND Europe
National Profiles
Thus, CASES holds an essential role in Luxembourg as regards the broadcasting of
information on the risks related to Internet, including ID thefts and social engineering.
This service is however not entitled to investigate or prosecute on cybercrime.
The project CASES has been recognised ‘good practice’ by ENISA and is referenced in
‘Raising Awareness in Information Security - Insight and Guidance for Member States’166.
CASES educates end-users through its website www.cases.lu and various prevention
campaigns, notably in schools. Especially, CASES has launched in January 2009 a
campaign to improve the handling of private data on social networking sites or on blogs or
homepages.
CASES has also carried out in November 2008 a campaign in order to make people aware
of the dangers of social engineering and make them aware of the value of private
information.
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents in
Luxembourg is sufficiently comprehensive. Indeed, most ID theft incidents should be
covered under present legislation. The highly comprehensive information broadcasted by
CASES in relation to cybercrime and ID thefts can also be considered a positive
development.
However, there is no single point of contact, online or off-line, dedicated to reporting ID
theft. Victims of ID theft are required to go through official channels (ie, especially
registering a complaint with local police offices). This process is still relatively
intransparent to victims, and follow-up to such complaints can be slow, depending on the
availability of resources of the investigating magistrates. ID theft does not appear to take a
high priority in investigations, except in cases of clear and significant harm to the victim.
166
http://www.cases.public.lu/fr/publications/presentations/2005_12_14_ENISA/index.html
403
RAND Europe
National Profiles
Malta
Applicable laws
Laws focusing explicitly on ID theft
To date there is no legislation in Malta that explicitly regulates ‘ID theft’ as a specific sui
generis offence or contravention, or for that matter, which provides any express definition
or sanctions for such a specific crime.
At the date of drafting of this Malta Profile we are not aware of any laws which are
currently being proposed, planned or otherwise that are being considered with the
intention to expressly legislate on such crime or to otherwise expressly provide a definition
or provide specific sanctions for the offence of ‘ID theft’.
Following a request for information carried out with the Malta Police Force Cyber Crime
Unit (hereinafter ‘the Unit’) we can also confirm that the Unit itself is also not aware or
involved in any discussions/consultations in this respect.
Therefore, at present, in the event that an incident of ID Theft occurs, legal action may be
pursued under Maltese law only if the incident may be deemed to constitute or form part
of another offence at law (or if it is deemed to be ‘preparatory works’ of such other offence
or for instance, ‘conspiracy’ to commit such other offence).
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
The Data Protection Act (Chapter 440 of the Laws of Malta Act
XXVI of 2001, as amended by Acts XXXI of 2002 and IX of
2003; Legal Notices 181 and 186 of 2006; 426 of 2007 and Act
XVI of 2008) to make provision for the protection of individuals
against the violation of their privacy by the processing of personal
data and for matters connected therewith or ancillary thereto.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/cha
pt440.pdf
Main provisions in The Data Protection Act transposes the provisions of the Data
relation to ID theft
Protection Directive 95/46/EC.
ID theft incidents should constitute unlawful processing which
violate several obligations of the Controller under the Data
Protection Act including amongst others:
(i)
Article 7 – requirements for processing (including
404
RAND Europe
National Profiles
the rules relating to proportionality, purpose,
transparency, security and data retention);
Prescribed sanction
(ii)
Article 9 – criteria for processing (including
unambiguous consent and necessity to process);
(iii)
Article 29 – prior notification.
Apart from damages that the victim may receive in civil
proceedings, an offence under the Data Protection Act shall
subject the person convicted to a criminally liability of either:
(i)
a fine (multa) not exceeding EUR 23,293.73; or
(ii)
to imprisonment for six (6) months, or
(iii)
to both fine and imprisonment.
Communications secrecy laws
Relevant
Relevant law
The Electronic Communications (Personal Data And Protection
of Privacy) Regulations (1st April 2004) - Subsidiary Legislation
399.25, Legal Notice 19 of 2003, as amended by Legal Notice
523 of 2004, 425 of 2007 and 199 of 2008.
Reference
See
http://www.gov.mt/frame.asp?l=1&url=http://www2.justice.gov.
mt/lom/home.asp
Main provisions in Reference to these Regulations are made taking into account that
relation to ID theft
the definition of ‘ID Theft’ for purposes of this Report includes
any action in which a party ‘acquires,
acquires, transfers, possesses or uses
personal information of a natural person in an unauthorized
manner…’.
In fact, these regulations protect the confidentiality of
communications and for instance, in terms of Regulation 4, no
person other the user of communications may listen, tap, store or
undertake any other form of interception or surveillance of
communications and of any related traffic data, without the
consent of the user concerned.
These Regulations also provide that the use of electronic
communications networks to store information or to gain access
to information stored in the terminal equipment of a
subscriber/user shall only be allowed on condition that the
subscriber/user concerned is provided by the controller with clear
and comprehensive information, including information about the
405
RAND Europe
National Profiles
purposes of the processing, in accordance with the Data
Protection Act. Failure to abide by this regulation is an offence.
In addition, the Regulations further regulate the processing of
traffic data and location data and thus stipulate that such
processing is to be carried out only by persons acting under the
lawful authority as stipulated in the same Regulations and for
purposes which are necessary. Failure to abide by this regulation
also constitutes an offence.
Prescribed sanction
A person who suffers any loss or damage because of any
contravention of these Regulations is entitled to take action before
the competent Civil court seeking compensation for that loss or
damage.
Otherwise, any person who contravenes or fails to comply with
the Regulations shall be liable to the following:
(i)
an administrative fine not exceeding EUR 23,293.73
for each violation; and
(ii)
EUR 2,329.37 for each day during which such
violation persists, which fine shall be determined and
imposed by the Data Protection Commissioner.
Communications secrecy laws
Relevant law
The Maltese Constitution
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
0.pdf
Main provisions in The Maltese Constitution provides for the fundamental right and
relation to ID theft
freedom of persons from the interference with their private
correspondence. This right and freedom applies irrespective of the
tools/means of communications used and therefore encompasses a
much wider protection of personal data in the context of private
correspondence.
Where private correspondence is interfered with in the execution
of the crime of ID Theft, then the injured person may bring an
action in Civil Court, First Hall to protect his/her fundamental
right in this respect. This action is without prejudice to any other
action with respect to the same matter that is lawfully available to
the injured person.
Prescribed sanction
In the event of a breach of such fundamental freedom the Courts
are to give such directions as it may consider appropriate for the
406
RAND Europe
National Profiles
purpose of enforcing, or securing the enforcement of, any of the
right and of the protection to which the person is concerned
under that right.
This action is without prejudice to any other action with respect
to the same matter that is lawfully available to the injured person.
Communications secrecy laws
Relevant law
The Electronic Commerce Act (Chapter 426 of the Laws of
Malta) of the 10th May, 2002, as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/chap
t426.pdf
Main provisions in Article 23 of the E-Commerce Act states that it is an offence for a
relation to ID theft
person to access, copy or otherwise obtain possession of, or to
recreate, the signature creation device of another person without
authorisation, for the purpose of creating, or allowing or causing
another person to create an unauthorised electronic signature
using such signature device.
In addition it is also an offence for a person to alter, disclose or
use the signature creation device of another person without
authorisation, or in excess of lawful authorisation, for the purpose
of creating or allowing or causing another person to create an
unauthorised electronic signature using such signature creation
device.
More specifically, the E-Commerce Act stipulates that no person
shall create, publish, alter or otherwise use a certificate or an
electronic signature for any fraudulent or other unlawful purpose
and that no person shall misrepresent his identity or authorisation
in requesting or accepting a certificate or in requesting suspension
or revocation of a certification.
Prescribed sanction
Any person contravening any of the provisions of the Electronic
Commerce Act shall be guilty of an offence and shall, on
conviction, be liable to the following:
(i)
a fine (multa) not exceeding €232,935; or
(ii)
to imprisonment not exceeding six (6) months; or
(iii)
to both such fine and imprisonment.
In the case of a ‘continuous’ offence the punishment shall be a
fine not exceeding €2,325 for each day during which the offence
continues.
407
RAND Europe
National Profiles
Communications secrecy laws – connection to telecoms system
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in Article 298A of the Criminal Code – Fraud provides that
relation to ID theft
constructing, altering, making, or possessing (or otherwise selling
or purchasing) any device with which one may ‘unlawfully connect
with any telecommunication system’ is an offence.
Prescribed sanction
Apart from damages that the victim may receive pursuant to civil
proceedings, liability for an offence in terms of Article 298A shall
be as follows:
(a) where the offence is committed for gain or by way of trade, to
imprisonment for a term not exceeding one year or to a fine
(multa) of not more than EUR4,658.75 or to both such fine and
imprisonment;
and
(b) in all other cases, to a fine (multa) of not more than
EUR2,329.37.
Identity Cards Act
Relevant law
The Identity Cards Act, Chapter 258 of the Laws of Malta (Act LI
of 1975, as amended).
Reference
See:
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_6/chapt
258.pdf
Main provisions in Under this Act, an ‘identity card’ is defined as a document issued
relation to ID theft
in respect of a person under and in accordance with this Act for
the purpose of identifying that person.
Article 12 of the Act states that no person other than the holder of
an identity card issued under the Act (or the authorised agent of
the holder) shall have in his possession or make any use whatever
of any identity card and any person who comes into possession of
an identity card issued to some other person is to immediately
deliver or forward it to the holder thereof.
Prescribed sanction
Any person who contravenes any of the provisions of the Act shall
in respect of each offence, be liable to a fine (multa) not exceeding
408
RAND Europe
National Profiles
EUR 232.94 and, in the case of a continuing offence, to a fine
(multa) not exceeding EUR 11.65 for each day during which the
offence continues.
In addition, a person shall be liable on conviction to
imprisonment for a period of not less than two (2) years and not
exceeding five (5) years if with ‘intent to deceive’ does any of the
following:
(i)
contravenes such provisions or makes any false
statement; or
(ii)
gives any false information; or
(iii)
produces any false document, for any of the purposes
of this Act, knowing the same to be false; or
(iv)
forges an identity card or any other document
whatsoever required by, or intended for, any of the
purposes of this Act; or
(v)
aids or abets the commission of any offence against
the Act.
Passport Ordinance
Relevant law
The Passport Ordinance, Chapter 61 of the Laws of Malta (10th
July, 1928) enacted by Ordinance III of 1928, as amended.
Reference
See
:
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_3/chapt
61.pdf
Main provisions in Under the Act, a ‘passport’ is defined as a certificate of identity,
relation to ID theft
identity card or official document issued for travel purposes by the
competent authority. An incident of ID Theft may be deemed to
occur in the event that a passport is used unlawfully, including as
follows:
Article 3 – Transfer of Passport:
Passport: it is an offence if a person who
is in possession of a passport whether issued to him by a
competent authority or not, transfers such passport to any other
person or receives a passport transferred to him by any other
person.
Article 4 – Use of Passport
Passport issued to another person:
person it is an
offence if a person makes use, or attempts to make use of a
passport issued to any other person.
Article 5 – Falsification of Passport: it is an offence if any
409
RAND Europe
National Profiles
person forges, alters or tampers with any passport or uses or has in
his possession any passport which he knows to be forged, altered
or tampered with.
Article 6 – False Statement in Application for Passport: it is an
offence if a person knowingly makes any false statement in any
application or recommendation in connection with the issue or
renewal of a passport.
Prescribed sanction
The following sanctions shall apply:(i)
An infringement of Article 3 – imprisonment for a
term not exceeding two years;
(ii)
An infringement of Article 4 - imprisonment for a
term not exceeding six months.
(iii)
An infringement of Article 5 – imprisonment for a
term from six months to two years.
(iv)
An infringement of Article 6 - imprisonment for a
term not exceeding six months.
Fraud
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in The Criminal Code regulates ‘Fraud’ and ancillary offences of
relation to ID theft
fraud under Sub-title III of Title IX of the Act.
The Act provides offences with respect to specific acts of fraud
such as (i) fraud by ‘misappropriation’ of anything entrusted to a
person belonging to another or (ii) fraud relating to insurance or
(iii) fraudulent breach of trust in respect to papers signed in blank
etc.
More specifically however, Article 308 of the Criminal Code
provides an offence in the event that a person ‘by means of any
unlawful practice, or by the use of any fictitious name, or the
assumption of any false designation, or by means of any other deceit,
device or pretence calculated to lead to the belief in the existence of
any fictitious enterprise or of any imaginary power, influence or
credit, or to create the expectation or apprehension of any chimerical
event, shall make any gain to the prejudice of another person’.
Article 309 of the Criminal Code deals with all other cases of
fraudulent gain and therefore provides for an offence in the event
410
RAND Europe
National Profiles
that a person makes ‘any other’ fraudulent gain not mentioned in
Article 308.
Prescribed sanction
Aside from civil damages which may be afforded in civil
proceedings, the following applies:
(i)
violations of article 308 can be criminally sanctioned
with fines of imprisonment for a term from seven
months to two years;
(ii)
violations of article 309 can be criminally sanctioned
by imprisonment for a term from one to six months
or to a fine.
In both cases however the following may apply:
(1) when the amount of the damage caused by the offender
exceeds €2,329.37 the punishment shall be that of imprisonment
from thirteen months to seven years;
(b) when the amount of the damage caused by the offender
exceeds €232.94 but does not exceed €2,329.37 the punishment
shall be that of imprisonment from five months to three years
(unless higher according to the Criminal Code);
(c) when the amount of the damage caused by the offender does
not exceed €23.29 the offender shall be liable to imprisonment for
a term not exceeding three months;
(d) when the amount of the damage caused by the offender does
not exceed €11.65, the offender shall be liable to imprisonment
for a term not exceeding twenty days or to a fine or to the
punishments established for contraventions.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in The offence of forgery is governed by Article 166 to 177 of the
relation to ID theft
Criminal Code, including particularly:
•
Art. 166: forgery of Government debentures or opening
of credit relative to such loan in the books of Government
Treasury;
•
Article 167: forgery of any schedule, ticket, order or other
document whatsoever, upon the presentation of which
any payment may be obtained, or any delivery of goods
411
RAND Europe
National Profiles
effected, or a deposit or pledge withdrawn from any
public office or from any bank or other public institution
established by the Government, or recognized by any
public act of the Government;
•
Article 170: forgery of Government or judicial or official
acts;
•
Articles 179-182: forgeries committed by public officers
or public servants;
•
Article 183: forgery of any authentic and public
instrument or of any commercial document or private
bank document, by counterfeiting or altering the writing
or signature, by feigning any fictitious agreement,
disposition, obligation or discharge, or by the insertion of
any such agreement, disposition, obligation or discharge
in any of the said instruments or documents after the
formation thereof, or by any addition to or alteration of
any clause, declaration or fact which such instruments or
documents were intended to contain or prove;
•
Article 187: forgery of private writings;
•
Article 188: false declaration or information to a public
authority;
•
Article 189: any other type of forgery not provided for
above.
NB Pursuant to Article 189A of the Criminal Code the
aforementioned Articles apply to forgery of any ‘document’,
‘instrument’ ‘writing’ ‘book’ ‘card, disk, tape, soundtrack or other
device on or on which information is or may be recorded or stored by
mechanical, electronic or other means.’
Prescribed sanction
Aside from damages that the victim may receive in a civil
proceedings the offences for under the following Articles shall be:
(i)
Article 166: imprisonment for 3 up to 5 years with or
without solitary confinement. If the forgery consists
of the endorsement of a genuine Government
debenture, 13months up to 4 years with or without
solitary confinement.
(ii)
Article 167: 13months up to 4 years with or without
solitary confinement;
(iii)
Under Article 166,167 if committed by Public
Officer or Servant the punishment shall be increased
by 1 degree;
412
RAND Europe
National Profiles
(iv)
Article 170: imprisonment of 2 up to 4 years with or
without solitary confinement (increased by 1 degree if
the fact is committed by Public Officer/Servant);
(v)
Articles 179-182 : imprisonment of 18months up to
3 years with or without solitary confinement;
(vi)
Article 183: imprisonment of 13months up to 4 years
with or without solitary confinement;
(vii)
Article 184 adds that any person who shall knowingly
make use of any of the false acts, writings,
instruments or documents mentioned in the
preceding articles of this sub-title, shall, on
conviction, be liable to the punishment established
for the forger;
(viii)
Article 187: liable to imprisonment for a term from
seven months to three years, with or without solitary
confinement. Whosoever shall knowingly make use
thereof, shall be liable to the same punishment;
(ix)
Article 189: 6 months imprisonment (or 7months to
1 year imprisonment if the fact is committed by
Public Officer).
In all crimes of forgery when committed by public officers or
servants, the punishment of perpetual general interdiction shall
always be added to the punishment laid down for the crime.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in Computer misuse and illegal access to information systems is
relation to ID theft
regulated by Articles 327B to 337H of the Criminal Code,
particularly by Article 337C which could apply in cases where the
use of false credentials to gain unauthorized access to an
information system, or to steal credentials from such a system
constitutes ID theft.
•
Article 337C(1)(a): unlawful access to or use of
information without authorisation, that is, if a persons
uses a computer or any other device or equipment to
access any data, software or supporting documentation
413
RAND Europe
National Profiles
held in that computer or on any other computer, or uses,
copies or modifies any such data, software or supporting
documentation without authorisation;
Prescribed sanction
•
Article
337C(1)(b):
outputting
data/software/supporting
documentation
authorisation;
of
without
•
Article 337C(1)(c): copying of data/software/supporting
documentation without authorisation;
•
Article 337C(1)(d): preventing access to data, software or
supporting documentation without authorisation;
•
Article 337C(1)(e): impairing operation of a system
without authorisation;
•
Article
337C(1)(f):
data/software/supporting
authorisation;
•
Article 337C(1)(g): installs, moves, alters, destroys, varies
or adds data/software/supporting documentation without
authorisation;
•
Article 337C(1)(h): discloses a password or other means
of access;.
•
Article 337C(1)(i):- uses another person’s access code,
password, user name, electronic mail address or other
means of access or identification information in a
computer.
takes
possession
of
documentation
without
Apart from damages that the victim may receive in civil
proceedings:
•
Any person who contravenes any of the above-mentioned
provisions shall be guilty of an offence and shall be liable
on conviction to a fine not exceeding €23,293.73 or to
imprisonment for a term not exceeding four years, or to
both such fine and imprisonment.
•
If the same act is detrimental to any function or activity
of the government, public service or utility OR by an
employee to the prejudice of his employer OR in most
cases of recidivism: the fine shall be of €232.94 up to
€116,468.67 or to imprisonment or to both fine and
imprisonment. For recidivists the penalty shall be of no
less than €1,164.69.
•
A person who produces any material or does any other act
preparatory to or in furtherance of the commission of any
414
RAND Europe
National Profiles
offence under these Articles (or any accomplice in such
offences) shall be guilty of that offence and shall on
conviction be liable to the same punishment provided for
the offence.
Cybercrime – illegal data interference
Relevant law
See under the sections devoted to ‘Communications secrecy laws –
connection to telecoms system’ and to ‘Cybercrime – illegal access
to information systems (hacking)’.
Reference
Main provisions in Particularly relevant is the abovementioned Article 337C(1)(g) of
relation to ID theft
the Criminal Code.
Prescribed sanction
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in See section above regarding Computer Misuse and sections
relation to ID theft
regarding forgery above (mainly Article 337C(1)(g): installs,
moves, alters, destroys, varies or adds data / software / supporting
documentation without authorisation.)
Prescribed sanction
Sanctions as described above may apply in relation to both
offences of general forgery and of computer misuse.
Cybercrime – computercomputer-related
relat ed fraud
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in See sections above regarding Computer Misuse - Article 337C of
relation to ID theft
the Criminal Code. However Identity theft by computer-related
fraud could also fall under the general Articles on Fraud discussed
above.
Prescribed sanction
sanction
Sanctions as described above may apply in relation to both
415
RAND Europe
National Profiles
offences of general fraud and of computer misuse.
Cybercrime – Threats, Private Violence and Harassment
Relevant law
Criminal Code, Chapter 9 of the Laws of Malta as amended.
Reference
See
http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt
9.pdf
Main provisions in Article 249 of the Criminal code provides that the threatening of
relation to ID theft the commission of any crime whatsoever by means of any writing,
whether anonymous or signed or in a fictitious name is an offence.
This applies when, for instance, the incidence of ID Theft allows a
person to threaten the commission of a crime (eg, by sending
email to the victim of the ID theft with threats or by using the
victim’s email to send threats to others).
Other offences which also can be derived from or related to ID
Theft include:
Prescribed sanction
(i)
Article 250 – blackmail: that is, when a person with
intent to extort money or any other thing, or to make
gain, or with intent to induce another person to
execute, destroy, alter, or change any will, or written
obligation, title or security, or to do or omit from
doing any thing, shall threaten to accuse or to make a
complaint against, or to defame, that or another
person;
(ii)
Article 251A – Harassment: that is, when a person
pursues a course of conduct: (a) which amounts to
harassment of another person, and (b) which he
knows or ought to know amounts to harassment of
such other person..
On conviction of a crime in terms of Article 249, the accused
shall be liable to imprisonment for a term from one to six months.
On conviction of a crime in terms of Article 250, the accused
shall be liable to imprisonment for a term from five to eighteen
months. If the offender attained his end, imprisonment for a term
of seven months to three years.
On conviction of a crime in terms of Article 251A, the accused
shall be liable to the punishment of imprisonment for a term from
one to three months or to a fine of not less than EUR2329.37 and
not more than EUR 4658.75, or to both such fine and
imprisonment: The punishment may be increased by one degree
416
RAND Europe
National Profiles
in certain cases (eg, if the offence is against one’s own father or
mother).
Application in practice
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Creating a ‘false identity online’ (that is, the creation of a
fictitious non-existing identity online) is not in itself illegal under
Maltese law unless it is deemed to constitute another offence
(such as fraud) which is intended to be committed or is
committed via the creation of a false identity.
If rather than the claiming of a ‘false identity’ one falsely claims
to be someone who he is not (that is he/she commits an incident
of Identity Theft by claiming to be someone else and entering
into the identity of that someone else) then such an incident
would likely involve:
(a) violation of data protection laws: since personal data of
the victim would likely be unlawfully processed to make
the false identity believable (eg, publication of the
victim's name, address, photo, etc.);
(b) forgery / computer-related forgery, if the incident of ID
Theft meant that any information/document was forged
by the offender;
(c) violation of the ID Card Act or the Passport Ordinance
if unlawful reference to an ID Card or Passport (or to a
false Id card or passport) is made to by the offender
when creating the false identity;
(d) fraud / computer-related fraud, if the false identity was
used to unlawfully make gain;
(e) Threats / Harassment depending on how the false
identity was used/abused.
Case law available?
Yes. For instance, in the case Police Vs Olaf Cini et (Court of
Magistrates, Criminal), Case No. 64/2006, Olaf Cini was found
guilty of committing an offence in terms of Article 187 and 188,
(Forgery of Private writings and false declaration or information
to a public authority respectively) and this primarily because he
417
RAND Europe
National Profiles
had sent an email which he drafted but which he signed with
someone else’s details and without that other person’s consent or
authorisation. Considering that he was a recidivist (by having
previously committed criminal offences) the Court sentenced Mr
Cini to 10 months imprisonment.
Unlawfully using another person’s credentials
credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
(As above) Most of the qualifications above could apply,
depending on how the credentials were used:
(a) violation of the data protection act, since the credentials
are likely to be considered personal data which is being
unlawfully processed;
(b) fraud and/or computer-related fraud, if falsified messages
were sent to unlawfully appropriate property;
(c) violation of the ID Card Act or the Passport Ordinance
if unlawful reference to an ID card or Passport (or to a
false ID card or passport) is made to by the offender
when creating the false identity;
(d) illegal access to information systems, if the credentials
were used to access a system without authorisation.
Case law
law available?
Maltese Courts have pronounced several judgements relating to
fraud by persons using the credentials of another person.
For instance:
Police Vs Mary Magdalene Sultana (Case Number 12/2010 –
Court of Magistrates, January 2010):
2010) in this case Mary
Magdalene Sultana was accused of committing an offence in
terms of Article 308, 309 and 310 of the Criminal Code and also
183, 184 and 258 of the Criminal Code by defrauding a bank of
EUR18,600 after using a false identity when she presented herself
at the bank’s branch and pretended to be somebody else (who in
fact turned out to be her friend). In fact, she was also accused of
first appearing at the Identity Card department and there she
applied for an identify card on the name of another person
(claiming that she – or rather that other person - had lost her
identity card). Following the issuance of this ID card she
managed to obtain the loan of EUR18,600 from the bank.
In this Case the Court took into consideration that the accused
admitted to the crime at the early stages of the case and therefore
found her guilty and subjected her to 2 years imprisonment.
However since the accused was willing to pay the sum she
418
RAND Europe
National Profiles
unlawfully obtained (EUR18,600) the court chose to suspend the
sentence for 4 years to give her an opportunity to reform.
In another case, Police Vs Brenda Mallia (Case No. 289/2009),
Court of Magistrates, Criminal, of the 27th March 2009,
2009 Mallia
was accused on several counts for having committed several
offences under the Criminal code, including amongst others, an
offence in terms of unlawful access to, or use of, information
under Article 227C(1). Mallia admitted to committing all the
offences and the court proceeded to sentence her to 26 months
imprisonment.
Phishing (using emails
emails and/or falsified
falsified websites to trick users into giving up identity
information, eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The act of phishing itself (independent from what the perpetrator
would do with the stolen information) would likely be:
(a) a violation of the data protection act, since the
credentials are likely to be considered personal data
which is being unlawfully processed;
(b) violation of communication secrecy laws (The Electronic
Communications (Personal Data And Protection of
Privacy) Regulations) if the collection of the credentials
can be qualified as an offence under the Regulations as
described above;
(c) fraud and/or computer-related fraud, if information such
as passwords etc are obtained fraudulently;
(d) violation of the ID Card Act or the Passport Ordinance
if unlawful reference to an ID Card or Passport (or to a
false ID card or passport) is made to by the offender
when creating the false identity;
(e) harassment under the criminal code if harassment
techniques are used to obtain information;
(f) illegal data interference, if the act of phishing involved
entering, changing or deleting information in an
information system without authorisation (eg, in order
to falsify a website).
Case law available?
No, to our knowledge until the date of publication of this Report
the Maltese Courts have not produced any judgements on cases
relating to the use of ‘phishing’.
419
RAND Europe
National Profiles
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
The following legal sources will apply in the field:
(1) The Social Security Act (Chapter 318 of the Laws of Malta:
this Act states that if any person, for the purposes of obtaining
any Social Security payment, whether for himself or for some
other person, (i) knowingly or recklessly makes any false
statement or false representation; or (ii) produces or furnishes, or
causes or knowingly allows to be produced or furnished, any
document or information which he knows to be false in a
material particular; or (iii) fraudulently fails or omits to report to
the Director of the competent Social Security institution, before
receiving any payment, any change of circumstances which has or
may have a material bearing on the amount, or mode of giving
such payment, shall, on conviction, be liable to a fine of not less
than EUR 46.59 but not exceeding one and a half times the
amount of benefit, pension, allowance or assistance unlawfully
received or EUR 1,164.69, whichever shall be higher, or to
imprisonment for a term of not less than three months but not
exceeding twelve months or to both such fine and imprisonment.
Article 118 of the said Act specifically regulates (i) the forgery of
a ‘National Insurance Stamp’ and (ii) the making, or possession
without lawful justification of any dye, plate, instrument or
material for forging such stamps or (iii) knowingly distributing or
using a forged insurance stamp or (iv) assists or abets in doing
any such acts. Such acts are subject to imprisonment of not less
than three years but not exceeding seven years;
(2) The Criminal Code (sections on Forgery and/or Fraud);
(3) The Passports Ordinance or the Identity Card Act if such
documents are forged or used in breach of such laws.
Case law available?
available?
There are several judgements of the Courts of Malta relating to
such subject matter, such as for instance;
o Police Vs Luigia Zarb Case No. 966/2005 (Court of
Magistrates). In this case the accused (Zarb) was found guilty
of (i) using false names and of committing fraud in terms of
Articles 308, 309 and 310 of the Criminal Code, (ii) of
making false declarations in documents intended for a public
authority in terms of Article 188 of the Criminal code and (iii)
of infringing Article 117 of the Social Security Act by
declaring false information about her inheritance and by
presenting falsified documentation. Since the accused
admitted guilt on all counts and collaborated with the police
the court found her guilty on all counts and condemned her
420
RAND Europe
National Profiles
to twelve months imprisonment suspended for 2 years;
o Police Vs Keith Agius (Case No 1216/2009, Court of
Magistrates, Criminal, February 2010) The merits of this case
were very similar to that of the above-mentioned Luigia Zarb
case. In this case Agius, the accused, was found guilty of
committing an offence in breach of Articles 188, 308 and
310(1)a of the Criminal Code, Article 14 of Chapter 258 (the
Identity Card Act) and Article 117(1)ii of the Social Security
Act. However, since Agius admitted guilt the court granted
him absolute discharge in terms of Article 22 of the Probation
Act (Chapter 446 of the laws of Malta) on condition that he
commits no further crime for 3 years;
o Police Vs Tarcisio Barbara (Case No. 1040/2004, Court of
Magistrates, Criminal, October 2009). In this case the Court
sentenced the accused to six months imprisonment, suspended
for 2 years since his police conduct was clean, he admitted his
guilt, and paid back to the government all amounts which he
unduly took within a short period.
Trafficking in unlawfully obtained personal information (eg,
(eg, selling databases of
email addresses to email marketeers)
Applicable
law(s)
Trafficking in unlawfully obtained information would constitute:
(a) a violation of the data protection act, since the personal
information would be unlawfully processed;
(b) a violation of communication secrecy laws, if the personal
information contained data related to electronic
communication (like email addresses, IP addresses, etc.).;
(c) possibly a claim in terms of intellectual property law
(including infringement of database rights) if the
information/database was stolen from its rightful owner.
Case
available?
law No, to our knowledge until the date of publication of this Report the
Maltese Courts have not produced any judgements on cases relating to
the use of ‘trafficking in unlawfully obtained personal information’.
ID theft reporting mechanisms
In Malta there is no website reporting mechanism exclusively focused on ID Theft.
However reference is made to the following general reporting site which would cover the
reporting of such incidents.
421
RAND Europe
National Profiles
www.polizija.gov.mt - reporting site
This website is an e-government initiative focusing primarily on the reporting by any
person whatsoever of any criminal acts and on the provision of information to the police
about ongoing criminal activity or suspected criminal activity. The portal is managed by
the Malta Police Force.
The scope of the portal is not focused purely on ID Theft incidents but is rather a tool
which applies to all types of crimes including offences which, as discussed above, could also
constitute or include elements of ID Theft and which are not necessarily Internet-related
crimes.
The website is a single contact point which is available in both the Maltese language and
the English language.
Formal reporting of a crime must be done in one’s own name, in the name of a third-party
or in the name of a company. Certain obligatory fields must be completed, including
details about what was seen at the incident, the locality and a description of the location,
the date and time-period.
Other general information can be provided to the Police via the website without having to
formally report a crime, including anonymously.
The website also allows the user to follow up on any report which was filed by him/her and
to obtain information from the Police force relating to the incident.
Other sites
Apart from the www.polizija.gov.mt portal, some other websites (also on private initiative)
play a mainly informative role with respect to computer crime including ID theft. Most
notably reference is made to:
(i)
www.dataprotection.gov.mt – the website of the Office of the Data Protection
Commissioner provides general information about the legislation which
regulates the processing of Data Protection, with specific emphasis on the
principles of Data Protection. There is however no specific mention of the
dangers, consequences and/or safeguards against incidents of ID Theft.
The website provides a few FAQs to assist users and furthermore provides a
Complaints Form which can be downloaded and sent to the Office of the DP
Commissioner by conventional mail or by hand with the purpose of
requesting the Commissioner to investigate the case. The Data Protection
Commissioner may order the blocking, erasure or destruction of data, to
impose a temporary or definitive ban on processing, or to warn or admonish
the controller and may in addition, enforce the provisions of the Act and in
cases of violation, may impose administrative fines or institute court
proceedings.
422
RAND Europe
(ii)
National Profiles
www.mca.org.mt – the website of the Malta Communications Authority
which includes some information on Internet trading and the most common
threats faced including fraud, Botnets, ID theft etc.
Personal assessment of the framework for combating ID theft
Generally, the Maltese legislative framework is broad enough to permit incidents of ID
Theft to be prosecuted in Malta as the Malta Police Force Cyber Crime Unit (and possibly
the Office of the Data Protection Commissioner) will normally prosecute such a crime
under another specific offence in terms of law. Indeed, the practical and technical
difficulties to follow up and investigate such incidents, to collect evidence and to take
action in such cases are several and undoubtedly the cross-border nature of such crimes
remains one of the major obstacles related to their successful prosecution.
Nevertheless, from a legislative point of view, we note that it may be worth considering the
possibility of enacting a specific legislation which would broadly define ‘ID Theft’ as a sui
generis offence.
The reason for this is that prosecuting such an offence should no longer necessarily require
the re-moulding of an already-existing offence and for instance the offence of ID Theft in
fraud-related incidents should not necessarily require an element of gain to have been
made. Perhaps different degrees of sanctions should also apply depending on the type of
ID Theft carried out, the means used to do so and the result of such ID Theft.
On a separate note we are of the opinion that increased efforts are required to educate
Maltese Internet users (especially consumers and children) of the possible dangers which
may exist online with respect to Identity Theft. Indeed we note that the Cyber Crime Unit
does invest substantial effort and resources in providing information campaigns about
security on the net especially in schools (for instance last year the Unit gave presentations
in over 50 schools, which presentations would have included guidance on ID Theft).
However at present there appears to be no online tool which serves to provide clear, userfriendly information to such Internet users and thus the execution of an ongoing online
campaign is recommended.
423
RAND Europe
National Profiles
The Netherlands
Applicable laws
Laws focusing explicitly on ID theft
No legislation has been introduced in the Netherlands that focuses explicitly on ID theft as
a specific crime, or that defines such a crime. In practice, ID theft incidents are combated
using the general provisions below (in relation to personal data protection, fraud, forgery,
hacking etc.).
ID theft is also an instrument for harassing or stalking. The first is, as such, not covered by
law; however, stalking legislation is available in the Netherlands and may be used to cover
some ID theft cases. Examples of stalking cases with an ID theft component include cases
like ordering products or subscriptions using the identity of other persons. In these cases,
victims go through considerable stress and effort to undo all the offendor’s actions, while
the offendor himself has no material benefits. These cases of ID theft occur often, are
usually the result of divorces and are hard to stop.
No such legislation is currently under consideration to our knowledge. Instead, the policy
emphasis in the Netherlands is more on improving awareness of ID theft risks with
potential victims and law enforcement bodies.
Other laws that may apply to ID theft incidents
Data protection laws
Relevant law
Law of 6 July 2000 protecting personal data (Wet houdende regels
inzake bescherming van persoongegevens)
Reference
See http://wetten.overheid.nl/BWBR0011468/
Main provisions
provisions in As under the Data Protection Directive 95/46/EC, ID theft
relation to ID theft
incidents will typically constitute unlawful processing, as it will
violate legitimacy requirements (article 8), proportionality
obligations and the purpose restriction (articles 9 and 11),
transparency obligations (articles 33-34), security obligations
(article 13) and formal obligations such as the prior notification
to the Dutch Privacy Agency (dpa) (article 27).
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, the violations above can also be criminally
sanctioned with fines of maximum 19.000 EUR or by
imprisonment of maximum 6 months.
424
RAND Europe
National Profiles
Data protection laws – Telecommunication providers
Relevant law
Law of 19 October 1998 on telecommunication (Wet houdende
regels inzake telecommunicatie)
Reference
See http://wetten.overheid.nl/BWBR0009950
Main provisions in This Act declares the law regarding protection of personal data
relation to ID theft
applicable for telecommunication providers. More specifically
article 6.1 of this Act forbids the exchange of acquired and
recorded personal data to a third party and articles 11.2 and 11.3
of this Act impose the protection of personal data by all means
including technical and organizational measures.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings violations can be sanctioned by OPTA
(‘onafhankelijke Post en Telecommunicatie Autoriteit’) with
fines of up to 450.000 EUR depending on the seriousness of the
offence.
Communications secrecy laws – contents of electronic communication
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in Articles 139c, 139d and 139e forbid the following acts:
relation to ID theft
• Using any device to record or intercepts private data
during transfer by electronic means without the consent
of all participants (article 139c);
•
Using any device to record or listen to or intercept a
private conversation, telecommunication or other data
during transfer by electronic means without the consent
of all participants (article 139d §1);
•
Deploying any device with a view of committing this
crime (article 139d §2);
•
Keeping or unlawfully using (including revealing) any
recordings made in violation of the provision above
(article 139e).
This would apply to any ID theft incidents involving the
recording of electronic communications.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 139c can be criminally sanctioned
with fines of maximum 19.000 EUR or imprisonment of
425
RAND Europe
National Profiles
Fraud
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in Fraud in general is punished by Article 326 of the Criminal
relation to ID theft
Code. This article sanctions any act of using deception (including
use of false names or titles, or any other type of deceptive
manipulation or abuse of good faith or credulity) with a view of
appropriating someone else’s property. This would apply to any
ID theft incidents involving the use of a falsified identity to
appropriate property.
Prescribed
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of article 326 can be criminally
sanctioned with fines of maximum 76.000 EUR or by maximum
imprisonment of 4 years. If the fraud has been perpetrated to
prepare or help a terrorist activity the imprisonment sanction is
increased with one-third of the sentence.
maximum 1 year.
•
Violations of article 139d can be criminally sanctioned
with fines of maximum 19.000 EUR or imprisonment of
maximum 1 year.
•
Violations of article 139e can be criminally sanctioned
with fines of maximum 19.000 EUR or imprisonment of
maximum 6 months.
Forgery with respect to identity (ie,
(ie, falsifying identities on a document)
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in Forgery is punished by Article 225 of the Criminal Code,
relation to ID theft
including particularly:
•
Art. 225: forgeries on documents destined as proof of
any kind, to be used as true is punishable;
426
RAND Europe
National Profiles
There is a specific penalisation of forgery of payment cards,
article 232 of the Criminal Code, including particularly:
•
Prescribed sanction
Art. 232: forgeries on payment cards or any other
publicly available carrier of identity information used to
perform a payment by electronic means or the use
thereof knowing the forgery;
Apart from damages that the victim may receive in a civil
proceedings:
•
Violations of article 255 can be criminally sanctioned
with a fee of maximum 76.000 EUR or imprisonment
maximum 6 years.
•
Violations of article 232 can be criminally sanctioned
with a fee of maximum 76.000 EUR or imprisonment
maximum 6 years.
Cybercrime - illegal access to information systems (hacking)
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in Illegal access to information systems is punished by Article 138a
relation to ID theft
of the Criminal Code, including particularly:
•
§1: accessing an information system without
authorisation, by (a) breaking security (b) technical
operation (c) using false signals or a false key or (d)
assuming a false identity;
•
§2: keeping, processing, revealing or otherwise using
data obtained from a hacked system.
•
§3: using a public telecommunication network and uses
processing capacity or hacks on to a third computer
The misuse of devices or access codes, with the intent to commit
computer sabotage and to commit aggravated hacking is
punished by Article 161 sexies (2) of the Criminal Code.
This would apply to any ID theft incidents involving the use of
false credentials to gain unauthorized access to an information
system, or to steal credentials from such a system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings
•
Violations of article 138a can be criminally sanctioned
with fines of maximum 76.000 EUR or by maximum
427
RAND Europe
National Profiles
imprisonment of 4 years. If the fraud has been
perpetrated to prepare or help a terrorist activity the
imprisonment sanction is increased with one-third of the
sentence.
•
Violations of article 161 sexies (2) can be criminally
punished with fines of maximum 76.000 EUR or by
maximum imprisonment of 1 year.
Cybercrime – illegal data interference
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in Illegal data interference is punished by Article 350a and 350b of
relation to ID theft
the Criminal Code, including particularly:
When committed with deceptive intent or intent to cause harm
(article 350a Criminal Code):
•
§1: entering, changing or deleting information in an
information system without authorisation or altering its
normal use by any technical means;
•
§2: causing serious damage to the data in an information
system as a result of committing the crime in §1 by using
a public telecommunications network; (impeding the
correct functioning of an information system as a result
of committing the crime qualifies as serious damage,
Hoge Raad 19 January 1999);
•
§3: providing or distributing any data which was
primarily delivered to commit the aforementioned
crimes, knowing that these could be used to damage data
of an information system;
•
§4: not punishable is the crime as described in §3 if done
with the intent to minimize the damage.
When committed with negligence/non-intentional (article 350b
Criminal Code):
•
§1: entering, changing or deleting information in an
information system without authorisation or altering its
normal use by any technical means if causing serious
damage;
•
§2: providing or distributing any data which could be
used to damage data of an information system.
This would apply to any ID theft incidents involving the
428
RAND Europe
National Profiles
falsifying of identity information stored in an information
system.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings:
When committed with deceptive intent or intent to cause harm
(article 350a Criminal Code):
•
Violations of §1 can be criminally sanctioned with fines
of maximum 19.000 EUR or imprisonment maximum 2
years.
•
Violations of §2 can be criminally sanctioned with fines
of maximum 19.000 EUR or imprisonment maximum 4
years.
•
Violations of §3 can be criminally sanctioned with fines
of maximum 76.000 EUR or imprisonment maximum 4
years.
When committed with negligence/non-intentional (article 350b
Criminal Code):
•
Violations of §1 can be criminally sanctioned with fines
of maximum 3.800 EUR or imprisonment maximum 1
month.
•
Violations of §2 can be criminally sanctioned with fines
of maximum 3.800 EUR or imprisonment maximum 1
month.
Cybercrime – computercomputer-related forgery
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in No specific penalisation exists for cyber-forgery. Forgery is
relation to ID theft
punished by Article 225 of the Criminal Code, including
particularly:
•
Art. 225: forgeries on documents destined as proof of
any kind, to be used as true is punishable;
The term ‘writing’ has been interpreted in case law as covering
computer files (Hoge Raad 15 January 1991, Nederlands
Jurisprudentie 1991, 68)
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings violations of article 255 can be criminally sanctioned
with a fee of maximum 76.000 EUR or imprisonment maximum
429
RAND Europe
National Profiles
6 years.
Cybercrime – computercomputer-related fraud
Relevant law
Criminal Code (Wetboek van Strafrecht)
Reference
See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/
Main provisions in No specific penalisation exists for e-fraud. Fraud in general is
relation to ID theft
punished by Article 326 of the Criminal Code. This article
sanctions any act of using deception (including use of false names
or titles, or any other type of deceptive manipulation or abuse of
good faith or credulity) with a view of appropriating someone
else’s property. This would apply to any ID theft incidents
involving the use of a falsified identity to appropriate property.
Prescribed sanction
Apart from damages that the victim may receive in a civil
proceedings, violations of article 326 can be criminally
sanctioned with fines of maximum 76.000 EUR or by maximum
imprisonment of 4 years. If the fraud has been perpetrated to
prepare or help a terrorist activity the imprisonment sanction is
increased with one-third of the sentence.
Application in practice
In the sections below, we will examine if/how these regulations are applied in practice,
including the identification of any known case law and resulting sanctions.
Claiming a false identity onon-line (eg,
(eg, creating an account on a social networking site
such as Facebook under someone else’s name)
Applicable law(s)
Such an incident would likely involve:
- violation of data protection laws, since personal data of the
victim would likely be unlawfully processed to make the false
identity believable (eg, publication of the victim's name, address,
photo, etc.);
- violation of communication secrecy laws, if the false profile
results in messages being sent to the false profile which were
intended for the real recipient;
- forgery, if the forgery changed the legal impact of the
information;
- fraud, if the false identity was used to unlawfully appropriate
property.
Case law available?
1. Dutch celebrities have been confronted with unauthorized fake
430
RAND Europe
National Profiles
profiles on social network sites. The people behind these profiles
were acting like they were the real person, answering questions
and making statements.
2. ID theft has occurred in swindling cases, using fake identities
by creating a free email address (gmail, live, hotmail etc) with the
victim’s name. These email addresses were used to support the
purchase of mobile phone subscriptions, harassing and swindling
through e-Bay or its Dutch competitor Marktplaats.
Unlawfully using another person’s credentials (eg,
(eg, using someone else’s username or
password to send emails
emails in his/her name)
Applicable law(s)
Most of the qualifications above could apply, depending on how
the credentials were used:
- violation of the data protection act, since the credentials are
likely to be considered personal data which is being unlawfully
processed;
- violation of communication secrecy laws, if use of the
credentials can be qualified as unlawful access to data related to
electronic communication (eg, to make bank transfers);
- fraud, if falsified messages were sent to unlawfully appropriate
property;
- illegal access to information systems, if the credentials were used
to access a system without authorisation.
Case law available?
Some instances of such behaviour have been seen in harassment
cases, usually during/after divorces. However, these do not
necessarily result in criminal prosecution.
Some swindling cases have also involved the unlawful use of
another person’s credentials (although it is not always clear how
the offender got the credentials).
Phishing (using emails
emails and/or falsified websites to trick users into giving up identity
information eg, to collect enough information to log on to someone else’s bank
account)
Applicable law(s)
The most likely qualifications would be:
- fraud, since the use of email or websites to trick users into giving
up identity information;
- forgery, if falsified messages were sent to unlawfully appropriate
431
RAND Europe
National Profiles
property.
Case law available?
Yes, for example the case of the Amsterdam Court of 28 May
2003 regarding a Nigerian scam where people were tricked by
email. The suspect was convicted for money laundering,
involvement in a criminal organization, fraud, forgery and
possession of forged travel documents to a fine of 411.440 EUR
and 4 years and six months of imprisonment. A copy of the
decision
can
be
found
here
:
http://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&sea
rchtype=ljn&ljn=AF9286&u_ljn=AF9286
Nigerian scams in the form of Spanish lotteries, FBI emails etc are
known in the practice of the Dutch CMI.
Using falsified identity documents (identity cards, social security cards or passports)
to unlawfully apply for social benefits
Applicable law(s)
The most likely qualifications would be:
- fraud, since the use of a false document would be considered a
deception with a view of unlawfully appropriating tax payer
money;
- forgery;
- violation of the appropriate social security law (which would
depend on the context.
Case law available?
Very few cases are known; the Ministry of Social Affairs and
Employment states that it does not occur frequently since it is
much easier to use authentic identity documents to obtain social
benefits and then work undeclared instead of using falsifying
documents.
In rare instances, a new digital ID is created for public services
(the process of getting these IDs is time consuming). All these ID
fraud cases were used for getting unlawful tax benefits by
changing bank account number registrations and ‘adding’ some
extra children or reducing income.
eg, selling databases of
Trafficking in unlawfully obtained personal information ((eg,
email addresses to email marketeers)
Applicable law(s)
The act of trafficking in unlawfully obtained information would
likely be:
- a violation of the data protection act, since the personal
information would be unlawfully processed;
432
RAND Europe
National Profiles
- a violation of communication secrecy laws, if the personal
information contained data related to electronic communication
(like email addresses, IP addresses, etc.).
Case law available?
No known case law; however the Dutch CMI frequently receives
reports of a well known practice consisting of the
selling/distributing of copies of ID documents to criminal
organizations. Copies are obtained from places where people are
required to leave a copy, such as hotels, car rental companies,
employment agencies etc. ID document copies are used in private
sector branches where controls are weak, such as telecom
subscriptions or online retail.
No other notable case law has been identified.
ID theft reporting mechanisms
CMI: reporting site
CMI, the Central Reporting and Information Point for Identity fraud and Identity errors
(Centraal
Melden
Informatiepunt
Identiteitsfraude
en
–fouten
http://www.overheid.nl/identiteitsfraude) is an initiative of the Dutch government. The
purpose is to assist and advice citizens confronted with identity fraud or mistakes in the
registration of personal data.
Victims usually face several issues:
1. repairing damage or loss and/or getting rid of misled creditors;
2. finding the offender and the cause of the ID fraud;
3. preventing further damage;
4. correcting errors in private and public databases as a result of the fraud.
CMI assists victims with all these issues. Once a victim becomes aware of or suspects
identity fraud, CMI assesses the victim’s situation and advises on the necessary steps to be
taken. In general, victims note their relief to find someone able to give them down to earth
advice, showing them a way out of the unclear and messy situation they are in.
Victims are (when applicable) encouraged to report the fraud to the police, enabling CMI
partners to check the police’s efforts in the case. The police stays responsible for finding
offenders (issue 2). CMI has an advisory role in helping the victim with issues 1 and 3,
since these are issues the victims have to do themselves. On the other hand, CMI partners
may conduct additional research to support the victim’s efforts.
CMI also works on correcting errors in government databases, wether they are a result of
fraud or have other causes. This service is also open for businesses and other organizations.
433
RAND Europe
National Profiles
CMI has a memorandum of agreement with all public authorities involved in identity
management. CMI transfers cases to the appropriate partners in this network and ensures
follow-up of the ID fraud cases. Partners include police, military police, ministries of
Justice and Interior, immigration authority and public prosecutor.
The CMI website provides information with regard to prevention of abuse, warning signs
that can indicate abuse and an extensive FAQ-list. Inquiries can be made via a contact
sheet that will be answered by email within two business days. From January 2011, online
contact sheets will be available. The CMI frontoffice is also available by phone. Within
three business days after receiving a complaint CMI will contact the victim. After three
weeks a progress report will be provided; this will continue to be done for as long as the
case is not resolved, as solving cases requires regular contact with the victims.
Other sites
Apart from CMI, several other sites play a mainly informative role with respect to ID theft,
including notably:
•
GOVCERT.NL (http://www.govcert.nl/) is the Computer Emergency Response
Team for the Dutch Government. Since 2002 they support the government in
preventing and dealing with ICT-related security incidents; such as the
coordination in case of ICT-related incidents and proactive action to prevent or to
prepare for such incidents and reduce the impact.
GOVCERT.NL focuses on four main areas: monitoring, knowledge exchange,
prevention and incident handling. GOVCERT.NL also provides alerts and
practical advice to the public and small enterprises via the National Alerting
Service Waarschuwingsdienst.nl (http://www.waarschuwingsdienst.nl); such as
warnings regarding IT security related incidents by email or sms alerts and
awareness raising animation videos. Incident response provides 24/7 availability to
coordinate recovery from incidents and consists of expertise, tools and other
capabilities to act, analyse and communicate with stakeholders and media. This
website contains contact information which allows citizens to contact
COVCERT.NL directly.
•
Safecin, the Foundation Addressing Financial-Economic Crime in the Netherlands
(Stichting Aanpak Financieel-Economische Criminaliteit in Nederland), provides a
website called Fraudemeldpunt.nl (http://www.fraudemeldpunt.nl) that specializes
in combating advertising and acquisition fraud. Safecin provides explanations and
tips on how to spot and avoid fraud as well as legal advice if need be.
Organizations can report advertising and acquisition fraud via the website which
they witnessed or became victim of. The organization that witnessed a fraud can
fill out a detailed reporting form to help the authorities with the investigation.
The victim of a fraud can file a complaint which Safecin will direct to the
competent authorities so criminal proceedings can be launched.
434
RAND Europe
National Profiles
•
Digivaardig&Digibewust (http://www.digivaardigdigibewust.nl/) is a national
information website regarding use of the Internet, email and other digital
applications. It mainly provides information on how to surf safely on the net and
avoid cyber-fraud. It is the successor to the earlier Surf op Safe website.
•
Veilig Internetten (www.veiliginternetten.nl) is a media campaign to promote safe
use of Internet, including ID theft.The campaign works in close cooperation with
the aforementioned programme ‘Digivaardig&Digibewust’ and with CMI.
•
ID-Check (http://www.idchecker.nl) is a commercial service that allows the
verification of the authenticity of identity documents (ID cards, drivers licenses
and passports). Users can scan these and send the PDF scans to the website. The
site operators verify the documents and report their findings using a standardised
report.
•
Expertcentre Identity fraud and documents (ECID) is a joint centre of expertise from
the police and the military police.ECID services include a free helpdesk for public
and private parties (both in and outside the Netherlands) who need an advanced
check
on
ID
documents.
(http://www.defensie.nl/marechaussee/service/expertisecentra/expertisecentrum_id
entiteitsfraude/)
Personal assessment of the framework for combating ID theft
Globally, it seems that the legal framework for combating ID theft incidents in the
Netherlands is sufficiently comprehensive, as there do not appear to be any examples of ID
theft incidents which are not covered under present legislation. As noted above however,
harassment as such (absent of stalking) is not covered by law, even though some instances
of ID theft may lead to harassment. It is currently being evaluated whether ID theft in this
perspective can be effectively dealt with through stalking legislation.
The establishment of a reporting site for reporting ID fraud in general (the aforementioned
CMI portal) can be considered a positive development. Also, starting April 2010 the
Netherlands have organized a Knowledge centre Cybercrime located at the court house’sGravenhage (‘Kenniscentrum Cybercrime’ ). This centre will record all case law regarding
cybercrime and will supply the judges and clerks with any practical and judicial
information on cybercrime they may require in order to perform their duty.
Based on CMI working experience, the main challenge is involving the private sector:
•
The vast majority of identity fraud occurs in the private sector (banks, telecom and
online retail especially).
•
Businesses have little incentive for decent ID checks. There is a trade-off between less
fraud (and better ID checks) and more sales (less barriers for